forked from chocolatey/choco-quickstart-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
(chocolatey#105) Removes "Hardened" Option, Always Secures
There's no reason we shouldn't be recommending that users secure their environment to the extent possible. If they want to run a less secure environment, they can follow a different guide.
- Loading branch information
Showing
2 changed files
with
60 additions
and
108 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -32,15 +32,19 @@ param( | |
} | ||
})] | ||
[string] | ||
$Thumbprint = (Get-ChildItem Cert:\LocalMachine\TrustedPeople -Recurse | Select-Object -ExpandProperty Thumbprint), | ||
$Thumbprint = $( | ||
Get-ChildItem Cert:\LocalMachine\TrustedPeople -Recurse | Sort-Object { | ||
$_.Issuer -eq $_.Subject # Prioritise any certificates above self-signed | ||
} | Select-Object -ExpandProperty Thumbprint -First 1 | ||
), | ||
|
||
# The certificate subject that identifies the target SSL certificate in | ||
# the local machine certificate stores. | ||
[Parameter(ParameterSetName='Subject')] | ||
[string] | ||
$Subject, | ||
|
||
#If using a wildcard certificate, provide a DNS name you want to use to access services secured by the certificate. | ||
# If using a wildcard certificate, provide a DNS name you want to use to access services secured by the certificate. | ||
[Parameter(ParameterSetName='Subject')] | ||
[Parameter(ParameterSetName='Thumbprint')] | ||
[string] | ||
|
@@ -49,20 +53,6 @@ param( | |
Get-ChocoEnvironmentProperty CertSubject | ||
), | ||
|
||
# This option security hardens your C4B server, in scenarios where you have a non-self-signed certificate. | ||
# It adds a role and user credential to the Nexus server, which is used to authenticate the source setup on a client endpoint. | ||
# It also adds a Client and Service Salt to further secure the SSL conneciton with CCM. | ||
# Finally, it updates the Register-C4bEndpoint.ps1 script to use these new credentials. | ||
[Parameter()] | ||
[switch] | ||
$Hardened, | ||
|
||
# The C4B server hostname for which to generate a new self-signed certificate. | ||
# Ignored/unused if a certificate thumbprint or subject is supplied. | ||
[Parameter(ParameterSetName='SelfSigned')] | ||
[string] | ||
$Hostname = [System.Net.Dns]::GetHostName(), | ||
|
||
# API key of your Nexus repo, to add to the source setup on C4B Server. | ||
[string]$NuGetApiKey = $( | ||
if (-not (Get-Command Get-ChocoEnvironmentProperty -ErrorAction SilentlyContinue)) {. $PSScriptRoot\scripts\Get-Helpers.ps1} | ||
|
@@ -103,13 +93,6 @@ process { | |
$SubjectWithoutCn = $CertificateDnsName | ||
} | ||
|
||
if ($Hardened) { | ||
$CertValidation = Test-SelfSignedCertificate -Certificate $Certificate | ||
if ($CertValidation) { | ||
throw "Self-Signed Certificates not valid for Internet-Hardened configurations. Please use a valid purchased or generated certificate." | ||
} | ||
} | ||
|
||
<# Nexus #> | ||
# Stop Services/Processes/Websites required | ||
Stop-Service nexus | ||
|
@@ -151,59 +134,46 @@ process { | |
(Get-Content -Path $ClientScript) -replace "{{hostname}}", $SubjectWithoutCn | Set-Content -Path $ClientScript | ||
New-NexusRawComponent -RepositoryName 'choco-install' -File $ClientScript | ||
|
||
if ($Hardened) { | ||
# Disable anonymous authentication | ||
Set-NexusAnonymousAuth -Disabled | ||
|
||
if (-not (Get-NexusRole -Role 'chocorole' -ErrorAction SilentlyContinue)) { | ||
# Create Nexus role | ||
$RoleParams = @{ | ||
Id = "chocorole" | ||
Name = "chocorole" | ||
Description = "Role for web enabled choco clients" | ||
Privileges = @('nx-repository-view-nuget-*-browse', 'nx-repository-view-nuget-*-read', 'nx-repository-view-raw-*-read', 'nx-repository-view-raw-*-browse') | ||
} | ||
New-NexusRole @RoleParams | ||
} | ||
# Disable anonymous authentication | ||
Set-NexusAnonymousAuth -Disabled | ||
|
||
if (-not (Get-NexusUser -User 'chocouser' -ErrorAction SilentlyContinue)) { | ||
$NexusPw = [System.Web.Security.Membership]::GeneratePassword(32, 12) | ||
# Create Nexus user | ||
$UserParams = @{ | ||
Username = 'chocouser' | ||
Password = ($NexusPw | ConvertTo-SecureString -AsPlainText -Force) | ||
FirstName = 'Choco' | ||
LastName = 'User' | ||
EmailAddress = '[email protected]' | ||
Status = 'Active' | ||
Roles = 'chocorole' | ||
} | ||
New-NexusUser @UserParams | ||
if (-not (Get-NexusRole -Role 'chocorole' -ErrorAction SilentlyContinue)) { | ||
# Create Nexus role | ||
$RoleParams = @{ | ||
Id = "chocorole" | ||
Name = "chocorole" | ||
Description = "Role for web enabled choco clients" | ||
Privileges = @('nx-repository-view-nuget-*-browse', 'nx-repository-view-nuget-*-read', 'nx-repository-view-raw-*-read', 'nx-repository-view-raw-*-browse') | ||
} | ||
|
||
$ChocoArgs = @( | ||
'source', | ||
'add', | ||
"--name='ChocolateyInternal'", | ||
"--source='$RepositoryUrl'", | ||
'--priority=1', | ||
"--user='chocouser'", | ||
"--password='$NexusPw'" | ||
) | ||
& Invoke-Choco @ChocoArgs | ||
New-NexusRole @RoleParams | ||
} | ||
|
||
else { | ||
$ChocoArgs = @( | ||
'source', | ||
'add', | ||
"--name='ChocolateyInternal'", | ||
"--source='$RepositoryUrl'", | ||
'--priority=1' | ||
) | ||
& Invoke-Choco @ChocoArgs | ||
if (-not (Get-NexusUser -User 'chocouser' -ErrorAction SilentlyContinue)) { | ||
$NexusPw = [System.Web.Security.Membership]::GeneratePassword(32, 12) | ||
# Create Nexus user | ||
$UserParams = @{ | ||
Username = 'chocouser' | ||
Password = ($NexusPw | ConvertTo-SecureString -AsPlainText -Force) | ||
FirstName = 'Choco' | ||
LastName = 'User' | ||
EmailAddress = '[email protected]' | ||
Status = 'Active' | ||
Roles = 'chocorole' | ||
} | ||
New-NexusUser @UserParams | ||
} | ||
|
||
$ChocoArgs = @( | ||
'source', | ||
'add', | ||
"--name='ChocolateyInternal'", | ||
"--source='$RepositoryUrl'", | ||
'--priority=1', | ||
"--user='chocouser'", | ||
"--password='$NexusPw'" | ||
) | ||
& Invoke-Choco @ChocoArgs | ||
|
||
# Update Repository API key | ||
$chocoArgs = @('apikey', "--source='$RepositoryUrl'", "--api-key='$NuGetApiKey'") | ||
& Invoke-Choco @chocoArgs | ||
|
@@ -255,11 +225,9 @@ process { | |
# Generate Register-C4bEndpoint.ps1 | ||
$EndpointScript = "$PSScriptRoot\scripts\Register-C4bEndpoint.ps1" | ||
|
||
if ($Hardened) { | ||
|
||
$ClientSaltValue = New-CCMSalt | ||
$ServiceSaltValue = New-CCMSalt | ||
$ScriptBlock = @" | ||
$ClientSaltValue = New-CCMSalt | ||
$ServiceSaltValue = New-CCMSalt | ||
$ScriptBlock = @" | ||
`$ClientCommunicationSalt = '$ClientSaltValue' | ||
`$ServiceCommunicationSalt = '$ServiceSaltValue' | ||
`$FQDN = '$SubjectWithoutCN' | ||
|
@@ -288,54 +256,38 @@ process { | |
& ([scriptblock]::Create(`$script)) @params | ||
"@ | ||
|
||
$ScriptBlock | Set-Content -Path $EndpointScript | ||
|
||
# Agent Setup | ||
$agentArgs = @{ | ||
CentralManagementServiceUrl = "https://$($SubjectWithoutCn):24020/ChocolateyManagementService" | ||
ServiceSalt = $ServiceSaltValue | ||
ClientSalt = $ClientSaltValue | ||
Source = "ChocolateyInternal" | ||
} | ||
|
||
Install-ChocolateyAgent @agentArgs | ||
} else { | ||
# Agent Setup | ||
$agentArgs = @{ | ||
CentralManagementServiceUrl = "https://$($SubjectWithoutCn):24020/ChocolateyManagementService" | ||
Source = "ChocolateyInternal" | ||
} | ||
$ScriptBlock | Set-Content -Path $EndpointScript | ||
|
||
Install-ChocolateyAgent @agentArgs | ||
# Agent Setup | ||
$agentArgs = @{ | ||
CentralManagementServiceUrl = "https://$($SubjectWithoutCn):24020/ChocolateyManagementService" | ||
ServiceSalt = $ServiceSaltValue | ||
ClientSalt = $ClientSaltValue | ||
} | ||
|
||
if (Test-SelfSignedCertificate -Certificate $Certificate) { | ||
# Register endpoint script | ||
(Get-Content -Path $EndpointScript) -replace "{{hostname}}", "'$SubjectWithoutCn'" | Set-Content -Path $EndpointScript | ||
if ($IsSelfSigned) { | ||
$ScriptBlock = @" | ||
`$downloader = New-Object -TypeName System.Net.WebClient | ||
Invoke-Expression (`$downloader.DownloadString("http://`$(`$HostName):80/Import-ChocoServerCertificate.ps1")) | ||
"@ | ||
(Get-Content -Path $EndpointScript) -replace "# placeholder if using a self-signed cert", $ScriptBlock | Set-Content -Path $EndpointScript | ||
} | ||
} | ||
|
||
Install-ChocolateyAgent @agentArgs | ||
|
||
Update-Clixml -Properties @{ | ||
CCMWebPortal = "https://$($SubjectWithoutCn)/Account/Login" | ||
CCMServiceURL = "https://$($SubjectWithoutCn):24020/ChocolateyManagementService" | ||
CertSubject = $SubjectWithoutCn | ||
CertThumbprint = $Certificate.Thumbprint | ||
CertExpiry = $Certificate.NotAfter | ||
IsSelfSigned = $IsSelfSigned | ||
} | ||
|
||
if ($Hardened) { | ||
Update-Clixml -Properties @{ | ||
ServiceSalt = ConvertTo-SecureString $ServiceSaltValue -AsPlainText -Force | ||
ClientSalt = ConvertTo-SecureString $ClientSaltValue -AsPlainText -Force | ||
} | ||
ServiceSalt = ConvertTo-SecureString $ServiceSaltValue -AsPlainText -Force | ||
ClientSalt = ConvertTo-SecureString $ClientSaltValue -AsPlainText -Force | ||
} | ||
} | ||
|
||
end { | ||
Write-Host 'Writing README to Desktop; this file contains login information for all C4B services.' | ||
New-QuickstartReadme | ||
|