first attempt at supporting NTLM authentication in Terraform

8 years ago · 852a74c49d
parent d8b9337c08
commit 852a74c49d
4 changed files with 10 additions and 0 deletions
--- a/communicator/winrm/communicator.go
+++ b/communicator/winrm/communicator.go
@ -62,6 +62,9 @@ func (c *Communicator) Connect(o terraform.UIOutput) error {

 	params := winrm.DefaultParameters
 	params.Timeout = formatDuration(c.Timeout())
+	if c.connInfo.NTLM == true {
+		params.TransportDecorator = func() winrm.Transporter { return &winrm.ClientNTLM{} }
+	}

 	client, err := winrm.NewClientWithParameters(
 		c.endpoint, c.connInfo.User, c.connInfo.Password, params)
@ -78,6 +81,7 @@ func (c *Communicator) Connect(o terraform.UIOutput) error {
 				"  Password: %t\n"+
 				"  HTTPS: %t\n"+
 				"  Insecure: %t\n"+
+				"  NTLM: %t\n"+
 				"  CACert: %t",
 			c.connInfo.Host,
 			c.connInfo.Port,
@ -85,6 +89,7 @@ func (c *Communicator) Connect(o terraform.UIOutput) error {
 			c.connInfo.Password != "",
 			c.connInfo.HTTPS,
 			c.connInfo.Insecure,
+			c.connInfo.NTLM,
 			c.connInfo.CACert != "",
 		))
 	}
@ -209,6 +214,7 @@ func (c *Communicator) newCopyClient() (*winrmcp.Winrmcp, error) {
 		},
 		Https:                 c.connInfo.HTTPS,
 		Insecure:              c.connInfo.Insecure,
+		TransportDecorator:    c.client.TransportDecorator,
 		OperationTimeout:      c.Timeout(),
 		MaxOperationsPerShell: 15, // lowest common denominator
 	}
--- a/communicator/winrm/provisioner.go
+++ b/communicator/winrm/provisioner.go
@ -37,6 +37,7 @@ type connectionInfo struct {
 	Port       int
 	HTTPS      bool
 	Insecure   bool
+	NTLM       bool   `mapstructure:"use_ntlm"`
 	CACert     string `mapstructure:"cacert"`
 	Timeout    string
 	ScriptPath string        `mapstructure:"script_path"`
--- a/terraform/eval_validate.go
+++ b/terraform/eval_validate.go
@ -157,6 +157,7 @@ func (n *EvalValidateProvisioner) validateConnConfig(connConfig *ResourceConfig)
 		// For type=winrm only (enforced in winrm communicator)
 		HTTPS    interface{} `mapstructure:"https"`
 		Insecure interface{} `mapstructure:"insecure"`
+		NTLM     interface{} `mapstructure:"use_ntlm"`
 		CACert   interface{} `mapstructure:"cacert"`
 	}

--- a/website/docs/provisioners/connection.html.markdown
+++ b/website/docs/provisioners/connection.html.markdown
@ -92,6 +92,8 @@ provisioner "file" {

 * `insecure` - Set to `true` to not validate the HTTPS certificate chain.

+* `use_ntlm` - Set to `true` to use NTLM authentication, rather than default (basic authentication), removing the requirement for basic authentication to be enabled within the target guest. Further reading for remote connection authentication can be found [here](https://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx).
+
 * `cacert` - The CA certificate to validate against.

 <a id="bastion"></a>