From 01bc2627be6344f5bc2dbdbf1bac50fff42a06c2 Mon Sep 17 00:00:00 2001 From: Lachlan Arthur Date: Fri, 8 Dec 2017 15:24:22 +1000 Subject: [PATCH 1/2] Check SMB credentials before using them --- .../windows/scripts/check_credentials.ps1 | 19 ++++++++++ plugins/synced_folders/smb/synced_folder.rb | 37 +++++++++++++++---- templates/locales/synced_folder_smb.yml | 2 + 3 files changed, 50 insertions(+), 8 deletions(-) create mode 100644 plugins/hosts/windows/scripts/check_credentials.ps1 diff --git a/plugins/hosts/windows/scripts/check_credentials.ps1 b/plugins/hosts/windows/scripts/check_credentials.ps1 new file mode 100644 index 000000000..28ce28a90 --- /dev/null +++ b/plugins/hosts/windows/scripts/check_credentials.ps1 @@ -0,0 +1,19 @@ +Param( + [Parameter(Mandatory=$true)] + [string]$username, + [Parameter(Mandatory=$true)] + [string]$password +) + +Add-Type -AssemblyName System.DirectoryServices.AccountManagement + +$DSContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext( + [System.DirectoryServices.AccountManagement.ContextType]::Machine, + $env:COMPUTERNAME +) + +if ( $DSContext.ValidateCredentials( $username, $password ) ) { + exit 0 +} else { + exit 1 +} \ No newline at end of file diff --git a/plugins/synced_folders/smb/synced_folder.rb b/plugins/synced_folders/smb/synced_folder.rb index 426def425..e834367df 100644 --- a/plugins/synced_folders/smb/synced_folder.rb +++ b/plugins/synced_folders/smb/synced_folder.rb @@ -30,11 +30,6 @@ module VagrantPlugins def prepare(machine, folders, opts) machine.ui.output(I18n.t("vagrant_sf_smb.preparing")) - # Check if this host can start and SMB service - if machine.env.host.capability?(:smb_start) - machine.env.host.capability(:smb_start) - end - smb_username = smb_password = nil # If we need auth information, then ask the user. @@ -48,12 +43,38 @@ module VagrantPlugins end end + script_path = File.expand_path("../scripts/check_credentials.ps1", __FILE__) + if !have_auth - machine.env.ui.detail(I18n.t("vagrant_sf_smb.warning_password") + "\n ") - smb_username = machine.env.ui.ask("Username: ") - smb_password = machine.env.ui.ask("Password (will be hidden): ", echo: false) + machine.ui.detail(I18n.t("vagrant_sf_smb.warning_password") + "\n ") + auth_success = false + while !auth_success do + @creds[:username] = machine.ui.ask("Username: ") + @creds[:password] = machine.ui.ask("Password (will be hidden): ", echo: false) + + args = [] + args << "-username" << "'#{@creds[:username].gsub("'", "''")}'" + args << "-password" << "'#{@creds[:password].gsub("'", "''")}'" + + r = Vagrant::Util::PowerShell.execute(script_path, *args) + + if r.exit_code == 0 + auth_success = true + end + + if !auth_success + machine.ui.output(I18n.t("vagrant_sf_smb.incorrect_credentials") + "\n ") + end + end end + # Check if this host can start and SMB service + if machine.env.host.capability?(:smb_start) + machine.env.host.capability(:smb_start) + end + + script_path = File.expand_path("../scripts/set_share.ps1", __FILE__) + folders.each do |id, data| data[:smb_username] ||= smb_username data[:smb_password] ||= smb_password diff --git a/templates/locales/synced_folder_smb.yml b/templates/locales/synced_folder_smb.yml index 3521ff4ff..5a7dd57b4 100644 --- a/templates/locales/synced_folder_smb.yml +++ b/templates/locales/synced_folder_smb.yml @@ -15,6 +15,8 @@ en: You will be asked for the username and password to use for the SMB folders shortly. Please use the proper username/password of your account. + incorrect_credentials: |- + Credentials incorrect. Please try again. uac: prune_warning: |- From 544427126881f1daefda36cf9b40a833041e7124 Mon Sep 17 00:00:00 2001 From: Chris Roberts Date: Fri, 12 Jan 2018 16:43:19 -0800 Subject: [PATCH 2/2] Move SMB credentials validation into host capability --- plugins/hosts/windows/cap/smb.rb | 10 +++++ plugins/hosts/windows/plugin.rb | 5 +++ plugins/synced_folders/smb/errors.rb | 4 ++ plugins/synced_folders/smb/synced_folder.rb | 39 ++++++++++--------- templates/locales/synced_folder_smb.yml | 3 ++ .../synced_folders/smb/synced_folder_test.rb | 25 +++++++++++- 6 files changed, 65 insertions(+), 21 deletions(-) diff --git a/plugins/hosts/windows/cap/smb.rb b/plugins/hosts/windows/cap/smb.rb index 457807f9c..17fae3d69 100644 --- a/plugins/hosts/windows/cap/smb.rb +++ b/plugins/hosts/windows/cap/smb.rb @@ -17,6 +17,16 @@ module VagrantPlugins true end + def self.smb_validate_password(env, machine, username, password) + script_path = File.expand_path("../../scripts/check_credentials.ps1", __FILE__) + args = [] + args << "-username" << "'#{username.gsub("'", "''")}'" + args << "-password" << "'#{password.gsub("'", "''")}'" + + r = Vagrant::Util::PowerShell.execute(script_path, *args) + r.exit_code == 0 + end + def self.smb_cleanup(env, machine, opts) script_path = File.expand_path("../../scripts/unset_share.ps1", __FILE__) diff --git a/plugins/hosts/windows/plugin.rb b/plugins/hosts/windows/plugin.rb index 38691d0a8..ffe1e3a17 100644 --- a/plugins/hosts/windows/plugin.rb +++ b/plugins/hosts/windows/plugin.rb @@ -46,6 +46,11 @@ module VagrantPlugins Cap::SMB end + host_capability("windows", "smb_cleanup") do + require_relative "cap/smb" + Cap::SMB + end + host_capability("windows", "configured_ip_addresses") do require_relative "cap/configured_ip_addresses" Cap::ConfiguredIPAddresses diff --git a/plugins/synced_folders/smb/errors.rb b/plugins/synced_folders/smb/errors.rb index 761924207..423853b1b 100644 --- a/plugins/synced_folders/smb/errors.rb +++ b/plugins/synced_folders/smb/errors.rb @@ -26,6 +26,10 @@ module VagrantPlugins error_key(:name_error) end + class CredentialsRequestError < SMBError + error_key(:credentials_request_error) + end + class DefineShareFailed < SMBError error_key(:define_share_failed) end diff --git a/plugins/synced_folders/smb/synced_folder.rb b/plugins/synced_folders/smb/synced_folder.rb index e834367df..4a95a0da5 100644 --- a/plugins/synced_folders/smb/synced_folder.rb +++ b/plugins/synced_folders/smb/synced_folder.rb @@ -11,6 +11,10 @@ require_relative "errors" module VagrantPlugins module SyncedFolderSMB class SyncedFolder < Vagrant.plugin("2", :synced_folder) + + # Maximum number of times to retry requesting username/password + CREDENTIAL_RETRY_MAX = 5 + def initialize(*args) super @@ -43,28 +47,27 @@ module VagrantPlugins end end - script_path = File.expand_path("../scripts/check_credentials.ps1", __FILE__) - if !have_auth machine.ui.detail(I18n.t("vagrant_sf_smb.warning_password") + "\n ") - auth_success = false - while !auth_success do - @creds[:username] = machine.ui.ask("Username: ") - @creds[:password] = machine.ui.ask("Password (will be hidden): ", echo: false) + retries = 0 + while retries < CREDENTIAL_RETRY_MAX do + smb_username = machine.ui.ask("Username: ") + smb_password = machine.ui.ask("Password (will be hidden): ", echo: false) + auth_success = true - args = [] - args << "-username" << "'#{@creds[:username].gsub("'", "''")}'" - args << "-password" << "'#{@creds[:password].gsub("'", "''")}'" - - r = Vagrant::Util::PowerShell.execute(script_path, *args) - - if r.exit_code == 0 - auth_success = true + if machine.env.host.capability?(:smb_validate_password) + Vagrant::Util::CredentialScrubber.sensitive(smb_password) + auth_success = machine.env.host.capability(:smb_validate_password, + smb_username, smb_password) end - if !auth_success - machine.ui.output(I18n.t("vagrant_sf_smb.incorrect_credentials") + "\n ") - end + break if auth_success + machine.ui.output(I18n.t("vagrant_sf_smb.incorrect_credentials") + "\n ") + retries += 1 + end + + if retries >= CREDENTIAL_RETRY_MAX + raise Errors::CredentialsRequestError end end @@ -73,8 +76,6 @@ module VagrantPlugins machine.env.host.capability(:smb_start) end - script_path = File.expand_path("../scripts/set_share.ps1", __FILE__) - folders.each do |id, data| data[:smb_username] ||= smb_username data[:smb_password] ||= smb_password diff --git a/templates/locales/synced_folder_smb.yml b/templates/locales/synced_folder_smb.yml index 5a7dd57b4..0dbf7ac1d 100644 --- a/templates/locales/synced_folder_smb.yml +++ b/templates/locales/synced_folder_smb.yml @@ -39,6 +39,9 @@ en: Vagrant SMB synced folders require the account password to be stored in an NT compatible format. Please update your sharing settings to enable a Windows compatible password and try again. + credentials_request_error: |- + Vagrant failed to receive credential information required for preparing + an SMB share. define_share_failed: |- Exporting an SMB share failed! Details about the failure are shown below. Please inspect the error message and correct any problems. diff --git a/test/unit/plugins/synced_folders/smb/synced_folder_test.rb b/test/unit/plugins/synced_folders/smb/synced_folder_test.rb index a80d45a3a..0b1e9c85d 100644 --- a/test/unit/plugins/synced_folders/smb/synced_folder_test.rb +++ b/test/unit/plugins/synced_folders/smb/synced_folder_test.rb @@ -71,8 +71,8 @@ describe VagrantPlugins::SyncedFolderSMB::SyncedFolder do context "without credentials provided" do before do - expect(machine.env.ui).to receive(:ask).and_return('username') - expect(machine.env.ui).to receive(:ask).and_return('password') + expect(machine.env.ui).to receive(:ask).with(/name/, any_args).and_return('username').at_least(1) + expect(machine.env.ui).to receive(:ask).with(/word/, any_args).and_return('password').at_least(1) end it "should prompt for credentials" do @@ -91,6 +91,27 @@ describe VagrantPlugins::SyncedFolderSMB::SyncedFolder do expect(host).to receive(:capability).with(:smb_start, any_args) subject.prepare(machine, folders, options) end + + context "with host smb_validate_password capability" do + let(:host_caps){ [:smb_start, :smb_prepare, :smb_validate_password] } + + it "should validate the password" do + expect(host).to receive(:capability).with(:smb_validate_password, 'username', 'password').and_return(true) + subject.prepare(machine, folders, options) + end + + it "should retry when validation fails" do + expect(host).to receive(:capability).with(:smb_validate_password, 'username', 'password').and_return(false) + expect(host).to receive(:capability).with(:smb_validate_password, 'username', 'password').and_return(true) + subject.prepare(machine, folders, options) + end + + it "should raise an error if it exceeds the maximum number of retries" do + expect(host).to receive(:capability).with(:smb_validate_password, 'username', 'password').and_return(false). + exactly(VagrantPlugins::SyncedFolderSMB::SyncedFolder::CREDENTIAL_RETRY_MAX).times + expect{ subject.prepare(machine, folders, options) }.to raise_error(VagrantPlugins::SyncedFolderSMB::Errors::CredentialsRequestError) + end + end end context "with credentials provided" do