Add WinRM helper

This patch set adds a WinRM helper, which will be used for managing Windows Service Instances. This will make use of the pywinrm library. Password as well as certificate based authentication will be available. Co-Authored-By: Alin Balutoiu <abalutoiu@cloudbasesolutions.com> Change-Id: I6f0ca85c7e4ed35301fff4714e65d54f1fcc29a6 Partially-implements: blueprint windows-smb-support
2015-07-29 01:12:31 +03:00 · 2015-07-29 01:12:31 +03:00 · 39cb200cbf
parent 17063cdd5e
commit 39cb200cbf
5 changed files with 465 additions and 0 deletions
--- a/manila/opts.py
+++ b/manila/opts.py
@ -62,6 +62,7 @@ import manila.share.drivers.ibm.gpfs
 import manila.share.drivers.netapp.options
 import manila.share.drivers.quobyte.quobyte
 import manila.share.drivers.service_instance
+import manila.share.drivers.windows.winrm_helper
 import manila.share.drivers.zfssa.zfssashare
 import manila.share.drivers_private_data
 import manila.share.manager
@ -124,6 +125,7 @@ _global_opt_lists = [
    manila.share.drivers.service_instance.common_opts,
    manila.share.drivers.service_instance.no_share_servers_handling_mode_opts,
    manila.share.drivers.service_instance.share_servers_handling_mode_opts,
+    manila.share.drivers.windows.winrm_helper.winrm_opts,
    manila.share.drivers.zfssa.zfssashare.ZFSSA_OPTS,
    manila.share.manager.share_manager_opts,
    manila.volume._volume_opts,
--- a/manila/share/drivers/windows/init.py
+++ b/manila/share/drivers/windows/init.py
--- a/manila/share/drivers/windows/winrm_helper.py
+++ b/manila/share/drivers/windows/winrm_helper.py
@ -0,0 +1,199 @@
+# Copyright (c) 2015 Cloudbase Solutions SRL
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import base64
+
+from oslo_concurrency import processutils
+from oslo_config import cfg
+from oslo_log import log
+from oslo_utils import importutils
+from oslo_utils import strutils
+import six
+
+from manila import exception
+from manila.i18n import _
+from manila import utils
+
+LOG = log.getLogger(__name__)
+CONF = cfg.CONF
+
+winrm_opts = [
+    cfg.IntOpt(
+        'winrm_conn_timeout',
+        default=60,
+        help='WinRM connection timeout.'),
+    cfg.IntOpt(
+        'winrm_operation_timeout',
+        default=60,
+        help='WinRM operation timeout.'),
+    cfg.IntOpt(
+        'winrm_retry_count',
+        default=3,
+        help='WinRM retry count.'),
+    cfg.IntOpt(
+        'winrm_retry_interval',
+        default=5,
+        help='WinRM retry interval in seconds'),
+]
+
+CONF.register_opts(winrm_opts)
+
+DEFAULT_PORT_HTTP = 5985
+DEFAULT_PORT_HTTPS = 5986
+
+TRANSPORT_PLAINTEXT = 'plaintext'
+TRANSPORT_SSL = 'ssl'
+
+winrm = None
+
+
+def setup_winrm():
+    global winrm
+    if not winrm:
+        try:
+            winrm = importutils.import_module('winrm')
+        except ImportError:
+            raise exception.ShareBackendException(
+                _("PyWinrm is not installed"))
+
+
+class WinRMHelper(object):
+    def __init__(self, configuration=None):
+        if configuration:
+            configuration.append_config_values(winrm_opts)
+            self._config = configuration
+        else:
+            self._config = CONF
+
+        setup_winrm()
+
+    def _get_conn(self, server):
+        auth = self._get_auth(server)
+        conn = WinRMConnection(
+            ip=server['ip'],
+            conn_timeout=self._config.winrm_conn_timeout,
+            operation_timeout=self._config.winrm_operation_timeout,
+            **auth)
+        return conn
+
+    def execute(self, server, command, check_exit_code=True,
+                retry=True):
+        retries = self._config.winrm_retry_count if retry else 1
+        conn = self._get_conn(server)
+
+        @utils.retry(exception=Exception,
+                     interval=self._config.winrm_retry_interval,
+                     retries=retries)
+        def _execute():
+            parsed_cmd, sanitized_cmd = self._parse_command(command)
+
+            LOG.debug("Executing command: %s", sanitized_cmd)
+            (stdout, stderr, exit_code) = conn.execute(parsed_cmd)
+
+            sanitized_stdout = strutils.mask_password(stdout)
+            sanitized_stderr = strutils.mask_password(stderr)
+            LOG.debug("Executed command: %(cmd)s. Stdout: %(stdout)s. "
+                      "Stderr: %(stderr)s. Exit code %(exit_code)s",
+                      dict(cmd=sanitized_cmd, stdout=sanitized_stdout,
+                           stderr=sanitized_stderr, exit_code=exit_code))
+
+            if check_exit_code and exit_code != 0:
+                raise processutils.ProcessExecutionError(
+                    stdout=sanitized_stdout,
+                    stderr=sanitized_stderr,
+                    exit_code=exit_code,
+                    cmd=sanitized_cmd)
+            return (stdout, stderr)
+        return _execute()
+
+    def _parse_command(self, command):
+        if isinstance(command, list) or isinstance(command, tuple):
+            command = " ".join([six.text_type(c) for c in command])
+
+        sanitized_cmd = strutils.mask_password(command)
+
+        b64_command = base64.b64encode(command.encode("utf_16_le"))
+        command = ("powershell.exe -ExecutionPolicy RemoteSigned "
+                   "-NonInteractive -EncodedCommand %s" % b64_command)
+        return command, sanitized_cmd
+
+    def _get_auth(self, server):
+        auth = {'username': server['username']}
+
+        if server['use_cert_auth']:
+            auth['cert_pem_path'] = server['cert_pem_path']
+            auth['cert_key_pem_path'] = server['cert_key_pem_path']
+        else:
+            auth['password'] = server['password']
+        return auth
+
+
+class WinRMConnection(object):
+    _URL_TEMPLATE = '%(protocol)s://%(ip)s:%(port)s/wsman'
+
+    def __init__(self, ip=None, port=None, use_ssl=False,
+                 transport=None, username=None, password=None,
+                 cert_pem_path=None, cert_key_pem_path=None,
+                 operation_timeout=None, conn_timeout=None):
+        setup_winrm()
+
+        use_cert = bool(cert_pem_path and cert_key_pem_path)
+        transport = (TRANSPORT_SSL
+                     if use_cert else TRANSPORT_PLAINTEXT)
+
+        _port = port or self._get_default_port(use_cert)
+        _url = self._get_url(ip, _port, use_cert)
+
+        self._conn = winrm.protocol.Protocol(
+            endpoint=_url, transport=transport,
+            username=username, password=password,
+            cert_pem=cert_pem_path, cert_key_pem=cert_key_pem_path)
+        self._conn.transport.timeout = conn_timeout
+        self._conn.set_timeout(operation_timeout)
+
+    def _get_default_port(self, use_ssl):
+        port = (DEFAULT_PORT_HTTPS
+                if use_ssl else DEFAULT_PORT_HTTP)
+        return port
+
+    def _get_url(self, ip, port, use_ssl):
+        if not ip:
+            err_msg = _("No IP provided.")
+            raise exception.ShareBackendException(msg=err_msg)
+
+        protocol = 'https' if use_ssl else 'http'
+        return self._URL_TEMPLATE % {'protocol': protocol,
+                                     'ip': ip,
+                                     'port': port}
+
+    def execute(self, cmd):
+        shell_id = None
+        cmd_id = None
+
+        try:
+            shell_id = self._conn.open_shell()
+
+            cmd_id = self._conn.run_command(shell_id, cmd)
+
+            (stdout,
+             stderr,
+             exit_code) = self._conn.get_command_output(shell_id, cmd_id)
+        finally:
+            if cmd_id:
+                self._conn.cleanup_command(shell_id, cmd_id)
+            if shell_id:
+                self._conn.close_shell(shell_id)
+
+        return (stdout, stderr, exit_code)
--- a/manila/tests/share/drivers/windows/init.py
+++ b/manila/tests/share/drivers/windows/init.py
--- a/manila/tests/share/drivers/windows/test_winrm_helper.py
+++ b/manila/tests/share/drivers/windows/test_winrm_helper.py
@ -0,0 +1,264 @@
+# Copyright (c) 2015 Cloudbase Solutions SRL
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import ddt
+import mock
+from oslo_concurrency import processutils
+from oslo_utils import importutils
+from oslo_utils import strutils
+
+from manila import exception
+from manila.share.drivers.windows import winrm_helper
+from manila import test
+
+
+@ddt.ddt
+class WinRMHelperTestCase(test.TestCase):
+    _FAKE_SERVER = {'ip': mock.sentinel.ip}
+
+    @mock.patch.object(importutils, 'import_module')
+    def setUp(self, mock_import_module):
+        self._winrm = winrm_helper.WinRMHelper()
+        super(WinRMHelperTestCase, self).setUp()
+
+    @ddt.data({'import_exc': None},
+              {'import_exc': ImportError})
+    @mock.patch.object(importutils, 'import_module')
+    @ddt.unpack
+    def test_setup_winrm(self, mock_import_module, import_exc):
+        winrm_helper.winrm = None
+        mock_import_module.side_effect = import_exc
+
+        if import_exc:
+            self.assertRaises(exception.ShareBackendException,
+                              winrm_helper.setup_winrm)
+        else:
+            winrm_helper.setup_winrm()
+            self.assertEqual(mock_import_module.return_value,
+                             winrm_helper.winrm)
+        mock_import_module.assert_called_once_with('winrm')
+
+    @mock.patch.object(winrm_helper.WinRMHelper, '_get_auth')
+    @mock.patch.object(winrm_helper, 'WinRMConnection')
+    def test_get_conn(self, mock_conn_cls, mock_get_auth):
+        mock_auth = {'mock_auth_key': mock.sentinel.auth_opt}
+        mock_get_auth.return_value = mock_auth
+
+        conn = self._winrm._get_conn(self._FAKE_SERVER)
+
+        mock_get_auth.assert_called_once_with(self._FAKE_SERVER)
+        mock_conn_cls.assert_called_once_with(
+            ip=self._FAKE_SERVER['ip'],
+            conn_timeout=self._winrm._config.winrm_conn_timeout,
+            operation_timeout=self._winrm._config.winrm_operation_timeout,
+            **mock_auth)
+        self.assertEqual(mock_conn_cls.return_value, conn)
+
+    @ddt.data({},
+              {'exit_code': 1},
+              {'exit_code': 1, 'check_exit_code': False})
+    @mock.patch.object(strutils, 'mask_password')
+    @mock.patch.object(winrm_helper.WinRMHelper, '_parse_command')
+    @mock.patch.object(winrm_helper.WinRMHelper, '_get_conn')
+    @ddt.unpack
+    def test_execute(self, mock_get_conn, mock_parse_command,
+                     mock_mask_password,
+                     check_exit_code=True, exit_code=0):
+        mock_parse_command.return_value = (mock.sentinel.parsed_cmd,
+                                           mock.sentinel.sanitized_cmd)
+        mock_conn = mock_get_conn.return_value
+        mock_conn.execute.return_value = (mock.sentinel.stdout,
+                                          mock.sentinel.stderr,
+                                          exit_code)
+
+        if exit_code == 0 or not check_exit_code:
+            result = self._winrm.execute(mock.sentinel.server,
+                                         mock.sentinel.command,
+                                         check_exit_code=check_exit_code,
+                                         retry=False)
+            expected_result = (mock.sentinel.stdout, mock.sentinel.stderr)
+            self.assertEqual(expected_result, result)
+        else:
+            self.assertRaises(processutils.ProcessExecutionError,
+                              self._winrm.execute,
+                              mock.sentinel.server,
+                              mock.sentinel.command,
+                              check_exit_code=check_exit_code,
+                              retry=False)
+
+        mock_get_conn.assert_called_once_with(mock.sentinel.server)
+        mock_parse_command.assert_called_once_with(mock.sentinel.command)
+        mock_conn.execute.assert_called_once_with(mock.sentinel.parsed_cmd)
+        mock_mask_password.assert_has_calls([mock.call(mock.sentinel.stdout),
+                                             mock.call(mock.sentinel.stderr)])
+
+    @mock.patch('base64.b64encode')
+    @mock.patch.object(strutils, 'mask_password')
+    def test_parse_command(self, mock_mask_password, mock_base64):
+        mock_mask_password.return_value = mock.sentinel.sanitized_cmd
+        mock_base64.return_value = mock.sentinel.encoded_string
+
+        cmd = ('Get-Disk', '-Number', 1)
+        result = self._winrm._parse_command(cmd)
+
+        joined_cmd = 'Get-Disk -Number 1'
+        expected_command = ("powershell.exe -ExecutionPolicy RemoteSigned "
+                            "-NonInteractive -EncodedCommand %s" %
+                            mock.sentinel.encoded_string)
+        expected_result = expected_command, mock.sentinel.sanitized_cmd
+
+        mock_mask_password.assert_called_once_with(joined_cmd)
+        mock_base64.assert_called_once_with(joined_cmd.encode("utf_16_le"))
+        self.assertEqual(expected_result, result)
+
+    def _test_get_auth(self, use_cert_auth=False):
+        mock_server = {'use_cert_auth': use_cert_auth,
+                       'cert_pem_path': mock.sentinel.pem_path,
+                       'cert_key_pem_path': mock.sentinel.key_path,
+                       'username': mock.sentinel.username,
+                       'password': mock.sentinel.password}
+
+        result = self._winrm._get_auth(mock_server)
+
+        expected_result = {'username': mock_server['username']}
+        if use_cert_auth:
+            expected_result['cert_pem_path'] = mock_server['cert_pem_path']
+            expected_result['cert_key_pem_path'] = (
+                mock_server['cert_key_pem_path'])
+        else:
+            expected_result['password'] = mock_server['password']
+
+        self.assertEqual(expected_result, result)
+
+    def test_get_auth_using_certificates(self):
+        self._test_get_auth(use_cert_auth=True)
+
+    def test_get_auth_using_password(self):
+        self._test_get_auth()
+
+
+class WinRMConnectionTestCase(test.TestCase):
+    @mock.patch.object(winrm_helper, 'setup_winrm')
+    @mock.patch.object(winrm_helper, 'winrm')
+    @mock.patch.object(winrm_helper.WinRMConnection, '_get_url')
+    @mock.patch.object(winrm_helper.WinRMConnection, '_get_default_port')
+    def setUp(self, mock_get_port, mock_get_url, mock_winrm,
+              mock_setup_winrm):
+        self._winrm = winrm_helper.WinRMConnection()
+        self._mock_conn = mock_winrm.protocol.Protocol.return_value
+        super(WinRMConnectionTestCase, self).setUp()
+
+    @mock.patch.object(winrm_helper, 'setup_winrm')
+    @mock.patch.object(winrm_helper, 'winrm')
+    @mock.patch.object(winrm_helper.WinRMConnection, '_get_url')
+    @mock.patch.object(winrm_helper.WinRMConnection, '_get_default_port')
+    def test_init_conn(self, mock_get_port, mock_get_url, mock_winrm,
+                       mock_setup_winrm):
+        # certificates are passed so we expect cert auth to be used
+        cert_auth = True
+        winrm_conn = winrm_helper.WinRMConnection(
+            ip=mock.sentinel.ip, username=mock.sentinel.username,
+            password=mock.sentinel.password,
+            cert_pem_path=mock.sentinel.cert_pem_path,
+            cert_key_pem_path=mock.sentinel.cert_key_pem_path,
+            operation_timeout=mock.sentinel.operation_timeout,
+            conn_timeout=mock.sentinel.conn_timeout)
+
+        mock_get_port.assert_called_once_with(cert_auth)
+        mock_get_url.assert_called_once_with(mock.sentinel.ip,
+                                             mock_get_port.return_value,
+                                             cert_auth)
+        mock_winrm.protocol.Protocol.assert_called_once_with(
+            endpoint=mock_get_url.return_value,
+            transport=winrm_helper.TRANSPORT_SSL,
+            username=mock.sentinel.username,
+            password=mock.sentinel.password,
+            cert_pem=mock.sentinel.cert_pem_path,
+            cert_key_pem=mock.sentinel.cert_key_pem_path)
+        self.assertEqual(mock_winrm.protocol.Protocol.return_value,
+                         winrm_conn._conn)
+        self.assertEqual(mock.sentinel.conn_timeout,
+                         winrm_conn._conn.transport.timeout)
+        winrm_conn._conn.set_timeout.assert_called_once_with(
+            mock.sentinel.operation_timeout)
+
+    def test_get_default_port_https(self):
+        port = self._winrm._get_default_port(use_ssl=True)
+        self.assertEqual(winrm_helper.DEFAULT_PORT_HTTPS, port)
+
+    def test_get_default_port_http(self):
+        port = self._winrm._get_default_port(use_ssl=False)
+        self.assertEqual(winrm_helper.DEFAULT_PORT_HTTP, port)
+
+    def _test_get_url(self, ip=None, use_ssl=True):
+        if not ip:
+            self.assertRaises(exception.ShareBackendException,
+                              self._winrm._get_url,
+                              ip=ip,
+                              port=mock.sentinel.port,
+                              use_ssl=use_ssl)
+        else:
+            url = self._winrm._get_url(ip=ip,
+                                       port=mock.sentinel.port,
+                                       use_ssl=use_ssl)
+            expected_protocol = 'https' if use_ssl else 'http'
+            expected_url = self._winrm._URL_TEMPLATE % dict(
+                protocol=expected_protocol,
+                port=mock.sentinel.port,
+                ip=ip)
+            self.assertEqual(expected_url, url)
+
+    def test_get_url_using_ssl(self):
+        self._test_get_url(ip=mock.sentinel.ip)
+
+    def test_get_url_using_plaintext(self):
+        self._test_get_url(ip=mock.sentinel.ip, use_ssl=False)
+
+    def test_get_url_missing_ip(self):
+        self._test_get_url()
+
+    def _test_execute(self, get_output_exception=None):
+        self._mock_conn.open_shell.return_value = mock.sentinel.shell_id
+        self._mock_conn.run_command.return_value = mock.sentinel.cmd_id
+
+        command_output = (mock.sentinel.stdout,
+                          mock.sentinel.stderr,
+                          mock.sentinel.exit_code)
+        if get_output_exception:
+            self._mock_conn.get_command_output.side_effect = (
+                get_output_exception)
+            self.assertRaises(
+                get_output_exception,
+                self._winrm.execute,
+                mock.sentinel.cmd)
+        else:
+            self._mock_conn.get_command_output.return_value = command_output
+            result = self._winrm.execute(mock.sentinel.cmd)
+            self.assertEqual(command_output, result)
+
+        self._mock_conn.open_shell.assert_called_once_with()
+        self._mock_conn.run_command.assert_called_once_with(
+            mock.sentinel.shell_id, mock.sentinel.cmd)
+
+        self._mock_conn.cleanup_command.assert_called_once_with(
+            mock.sentinel.shell_id, mock.sentinel.cmd_id)
+        self._mock_conn.close_shell.assert_called_once_with(
+            mock.sentinel.shell_id)
+
+    def test_execute(self):
+        self._test_execute()
+
+    def test_execute_exception(self):
+        self._test_execute(get_output_exception=Exception)