Pass stored WinRM credentials to agent Ansible runs

2025-10-26 15:21:57 -06:00 · 2025-10-15 01:20:54 -06:00
parent 94250212de
commit 74540b7f10
3 changed files with 122 additions and 21 deletions
--- a/Data/Server/WebUI/src/Scheduling/Quick_Job.jsx
+++ b/Data/Server/WebUI/src/Scheduling/Quick_Job.jsx
@@ -136,7 +136,10 @@ export default function QuickJob({ open, onClose, hostnames = [] }) {
        const data = await resp.json();
        if (canceled) return;
        const list = Array.isArray(data?.credentials)
-          ? data.credentials.filter((cred) => String(cred.connection_type || "").toLowerCase() === "ssh")
+          ? data.credentials.filter((cred) => {
+              const conn = String(cred.connection_type || "").toLowerCase();
+              return conn === "ssh" || conn === "winrm";
+            })
          : [];
        list.sort((a, b) => String(a?.name || "").localeCompare(String(b?.name || "")));
        setCredentials(list);
@@ -435,11 +438,15 @@ export default function QuickJob({ open, onClose, hostnames = [] }) {
                onChange={(e) => setSelectedCredentialId(e.target.value)}
                sx={{ bgcolor: "#1f1f1f", color: "#fff" }}
              >
-                {credentials.map((cred) => (
-                  <MenuItem key={cred.id} value={String(cred.id)}>
-                    {cred.name}
-                  </MenuItem>
-                ))}
+                {credentials.map((cred) => {
+                  const conn = String(cred.connection_type || "").toUpperCase();
+                  return (
+                    <MenuItem key={cred.id} value={String(cred.id)}>
+                      {cred.name}
+                      {conn ? ` (${conn})` : ""}
+                    </MenuItem>
+                  );
+                })}
              </Select>
            </FormControl>
            {credentialsLoading && <CircularProgress size={18} sx={{ color: "#58a6ff" }} />}
@@ -448,7 +455,7 @@ export default function QuickJob({ open, onClose, hostnames = [] }) {
            )}
            {!credentialsLoading && !credentialsError && !credentials.length && (
              <Typography variant="body2" sx={{ color: "#ff8080" }}>
-                No SSH credentials available. Create one under Access Management.
+                No SSH or WinRM credentials available. Create one under Access Management.
              </Typography>
            )}
          </Box>
--- a/Data/Server/job_scheduler.py
+++ b/Data/Server/job_scheduler.py
@@ -7,6 +7,10 @@ import re
 import sqlite3
 from typing import Any, Dict, List, Optional, Tuple, Callable

+_WINRM_USERNAME_VAR = "__borealis_winrm_username"
+_WINRM_PASSWORD_VAR = "__borealis_winrm_password"
+_WINRM_TRANSPORT_VAR = "__borealis_winrm_transport"
+
 """
 Job Scheduler module for Borealis

@@ -54,6 +58,26 @@ def _decode_base64_text(value: Any) -> Optional[str]:
        return decoded.decode("utf-8", errors="replace")


+def _inject_winrm_credential(
+    base_values: Optional[Dict[str, Any]],
+    credential: Optional[Dict[str, Any]],
+) -> Dict[str, Any]:
+    values: Dict[str, Any] = dict(base_values or {})
+    if not credential:
+        return values
+
+    username = str(credential.get("username") or "")
+    password = str(credential.get("password") or "")
+    metadata = credential.get("metadata") if isinstance(credential.get("metadata"), dict) else {}
+    transport = metadata.get("winrm_transport") if isinstance(metadata, dict) else None
+    transport_str = str(transport or "ntlm").strip().lower() or "ntlm"
+
+    values[_WINRM_USERNAME_VAR] = username
+    values[_WINRM_PASSWORD_VAR] = password
+    values[_WINRM_TRANSPORT_VAR] = transport_str
+    return values
+
+
 def _decode_script_content(value: Any, encoding_hint: str = "") -> str:
    encoding = (encoding_hint or "").strip().lower()
    if isinstance(value, str):
@@ -311,6 +335,8 @@ class JobScheduler:
        self._online_lookup: Optional[Callable[[], List[str]]] = None
        # Optional callback to execute Ansible directly from the server
        self._server_ansible_runner: Optional[Callable[..., str]] = None
+        # Optional callback to fetch stored credentials (with decrypted secrets)
+        self._credential_fetcher: Optional[Callable[[int], Optional[Dict[str, Any]]]] = None

        # Ensure run-history table exists
        self._init_tables()
@@ -522,7 +548,24 @@ class JobScheduler:
            variables = doc.get("variables") or []
            files = doc.get("files") or []
            run_mode_norm = (run_mode or "system").strip().lower()
-            server_run = run_mode_norm in ("ssh", "winrm")
+            server_run = run_mode_norm == "ssh"
+            agent_winrm = run_mode_norm == "winrm"
+
+            if agent_winrm:
+                if not credential_id:
+                    raise RuntimeError("WinRM execution requires a credential_id")
+                if not callable(self._credential_fetcher):
+                    raise RuntimeError("Credential fetcher is not configured")
+                cred_detail = self._credential_fetcher(int(credential_id))
+                if not cred_detail:
+                    raise RuntimeError("Credential not found")
+                try:
+                    overrides_map = _inject_winrm_credential(overrides_map, cred_detail)
+                finally:
+                    try:
+                        cred_detail.clear()  # type: ignore[attr-defined]
+                    except Exception:
+                        pass

            # Record in activity_history for UI parity
            now = _now_ts()
@@ -743,6 +786,9 @@ class JobScheduler:
    def _conn(self):
        return sqlite3.connect(self.db_path)

+    def set_credential_fetcher(self, fn: Optional[Callable[[int], Optional[Dict[str, Any]]]]):
+        self._credential_fetcher = fn
+
    def _init_tables(self):
        conn = self._conn()
        cur = conn.cursor()
@@ -1738,3 +1784,7 @@ def set_online_lookup(scheduler: JobScheduler, fn: Callable[[], List[str]]):

 def set_server_ansible_runner(scheduler: JobScheduler, fn: Callable[..., str]):
    scheduler._server_ansible_runner = fn
+
+
+def set_credential_fetcher(scheduler: JobScheduler, fn: Callable[[int], Optional[Dict[str, Any]]]):
+    scheduler._credential_fetcher = fn
--- a/Data/Server/server.py
+++ b/Data/Server/server.py
@@ -329,6 +329,7 @@ from Python_API_Endpoints.script_engines import run_powershell_script
 from job_scheduler import register as register_job_scheduler
 from job_scheduler import set_online_lookup as scheduler_set_online_lookup
 from job_scheduler import set_server_ansible_runner as scheduler_set_server_runner
+from job_scheduler import set_credential_fetcher as scheduler_set_credential_fetcher

 # =============================================================================
 # Section: Runtime Stack Configuration
@@ -1859,6 +1860,11 @@ def _ensure_ansible_workspace() -> str:
    return _ANSIBLE_WORKSPACE_DIR


+_WINRM_USERNAME_VAR = "__borealis_winrm_username"
+_WINRM_PASSWORD_VAR = "__borealis_winrm_password"
+_WINRM_TRANSPORT_VAR = "__borealis_winrm_transport"
+
+
 def _fetch_credential_with_secrets(credential_id: int) -> Optional[Dict[str, Any]]:
    try:
        conn = _db_conn()
@@ -1876,7 +1882,8 @@ def _fetch_credential_with_secrets(credential_id: int) -> Optional[Dict[str, Any
                private_key_passphrase_encrypted,
                become_method,
                become_username,
-                become_password_encrypted
+                become_password_encrypted,
+                metadata_json
            FROM credentials
            WHERE id=?
            """,
@@ -1900,8 +1907,40 @@ def _fetch_credential_with_secrets(credential_id: int) -> Optional[Dict[str, Any
        "become_method": _normalize_become_method(row[8]),
        "become_username": row[9] or "",
        "become_password": _decrypt_secret(row[10]) if row[10] else "",
+        "metadata": {},
    }

+    try:
+        meta_json = row[11] if len(row) > 11 else None
+        if meta_json:
+            meta = json.loads(meta_json)
+            if isinstance(meta, dict):
+                cred["metadata"] = meta
+    except Exception:
+        pass
+
+    return cred
+
+
+def _inject_winrm_credential(
+    base_values: Optional[Dict[str, Any]],
+    credential: Optional[Dict[str, Any]],
+) -> Dict[str, Any]:
+    values: Dict[str, Any] = dict(base_values or {})
+    if not credential:
+        return values
+
+    username = str(credential.get("username") or "")
+    password = str(credential.get("password") or "")
+    metadata = credential.get("metadata") if isinstance(credential.get("metadata"), dict) else {}
+    transport = metadata.get("winrm_transport") if isinstance(metadata, dict) else None
+    transport_str = str(transport or "ntlm").strip().lower() or "ntlm"
+
+    values[_WINRM_USERNAME_VAR] = username
+    values[_WINRM_PASSWORD_VAR] = password
+    values[_WINRM_TRANSPORT_VAR] = transport_str
+    return values
+

 def _emit_ansible_recap_from_row(row):
    if not row:
@@ -4564,6 +4603,7 @@ ensure_default_admin()

 job_scheduler = register_job_scheduler(app, socketio, DB_PATH)
 scheduler_set_server_runner(job_scheduler, _queue_server_ansible_run)
+scheduler_set_credential_fetcher(job_scheduler, _fetch_credential_with_secrets)
 job_scheduler.start()

 # Provide scheduler with online device lookup based on registered agents
@@ -6375,15 +6415,26 @@ def ansible_quick_run():
        return jsonify({"error": "Missing playbook_path or hostnames[]"}), 400
    server_mode = False
    cred_id_int = None
+    credential_detail: Optional[Dict[str, Any]] = None
    if credential_id not in (None, "", "null"):
        try:
            cred_id_int = int(credential_id)
            if cred_id_int <= 0:
                cred_id_int = None
-            else:
-                server_mode = True
        except Exception:
            return jsonify({"error": "Invalid credential_id"}), 400
+
+    if cred_id_int:
+        credential_detail = _fetch_credential_with_secrets(cred_id_int)
+        if not credential_detail:
+            return jsonify({"error": "Credential not found"}), 404
+        conn_type = (credential_detail.get("connection_type") or "ssh").lower()
+        if conn_type in ("ssh", "linux", "unix"):
+            server_mode = True
+        elif conn_type in ("winrm", "psrp"):
+            variable_values = _inject_winrm_credential(variable_values, credential_detail)
+        else:
+            return jsonify({"error": f"Credential connection '{conn_type}' not supported"}), 400
    try:
        root, abs_path, _ = _resolve_assembly_path('ansible', rel_path)
        if not os.path.isfile(abs_path):
@@ -6407,16 +6458,6 @@ def ansible_quick_run():
        if server_mode and not cred_id_int:
            return jsonify({"error": "credential_id is required for server-side execution"}), 400

-        if server_mode:
-            cred = _fetch_credential_with_secrets(cred_id_int)
-            if not cred:
-                return jsonify({"error": "Credential not found"}), 404
-            conn_type = (cred.get("connection_type") or "ssh").lower()
-            if conn_type not in ("ssh",):
-                return jsonify({"error": f"Credential connection '{conn_type}' not supported for server execution"}), 400
-            # Avoid keeping decrypted secrets in memory longer than necessary
-            del cred
-
        results = []
        for host in hostnames:
            # Create activity_history row so UI shows running state and can receive recap mirror
@@ -6510,6 +6551,9 @@ def ansible_quick_run():
                    except Exception:
                        pass
                results.append({"hostname": host, "run_id": run_id, "status": "Failed", "activity_job_id": job_id, "error": str(ex)})
+        if credential_detail is not None:
+            # Remove decrypted secrets from scope as soon as possible
+            credential_detail.clear()
        return jsonify({"results": results})
    except ValueError as ve:
        return jsonify({"error": str(ve)}), 400