added tests and updated disable winrm implementation

[#151329914] Signed-off-by: Lisa Oakley <[email protected]>
SUSE · Nov 7, 2017 · 343749a · 343749a
1 parent b7afda5
commit 343749a
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 2 deletions.
diff --git a/platform/syscall_windows.go b/platform/syscall_windows.go
@@ -5,15 +5,14 @@ import (
 	"encoding/ascii85"
 	"errors"
 	"fmt"
+	"github.com/cloudfoundry/bosh-agent/jobsupervisor/winsvc"
 	"io"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"syscall"
 	"unsafe"
 
-	"github.com/cloudfoundry/bosh-agent/jobsupervisor/winsvc"
-
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/registry"
 	"golang.org/x/sys/windows/svc"
@@ -499,10 +498,40 @@ func disableWindowsUpdates() error {
 	return nil
 }
 
+func closeWinRMPort() error {
+	deleteAllWinRMFirewallRules()
+
+	err := setWinrmFirewall("Block")
+	if err != nil {
+		return fmt.Errorf("could not set winrm firewall: %s", err)
+	}
+
+	return nil
+}
+
+func setWinrmFirewall(action string) error {
+	cmd := exec.Command("NETSH.exe", "advfirewall", "firewall", "add", "rule", "name=Port5985", "dir=in", fmt.Sprintf("action=%v", action), "localport=5985", "protocol=TCP")
+	_, err := cmd.CombinedOutput()
+
+	return err
+}
+
+func deleteAllWinRMFirewallRules() error {
+	cmd := exec.Command("NETSH.exe", "advfirewall", "firewall", "delete", "rule", "localport=5985", "dir=in", "protocol=TCP", "name=all")
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("(%s): %s", err, string(out))
+	}
+	return nil
+}
+
 func setupRuntimeConfiguration() error {
 	if err := disableWindowsUpdates(); err != nil {
 		return fmt.Errorf("disabling updates: %s", err)
 	}
+	if err := closeWinRMPort(); err != nil {
+		return fmt.Errorf("closing WinRM port(5985): %s", err)
+	}
 	return nil
 }
 

diff --git a/platform/syscall_windows_test.go b/platform/syscall_windows_test.go
@@ -2,6 +2,13 @@
 
 package platform
 
+import (
+	"os/exec"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
 var (
 	// Export for testing
 	UserHomeDirectory    = userHomeDirectory
@@ -26,3 +33,54 @@ func SetAdministratorUserName(name string) (previous string) {
 	administratorUserName = name
 	return previous
 }
+
+var _ = FDescribe("closeWinRMPort", func() {
+
+	var itAddsABlockingRule = func() {
+		err := closeWinRMPort()
+		Expect(err).ToNot(HaveOccurred())
+
+		cmd := exec.Command("Powershell", "-Command", "Get-NetFirewallRule | where { $_.Action -eq \"Block\" } | Get-NetFirewallPortFilter | where { $_.LocalPort -eq 5985 }")
+		out, err := cmd.CombinedOutput()
+		s := string(out)
+
+		Expect(err).NotTo(HaveOccurred())
+		Expect(s).ToNot(BeEmpty())
+	}
+	cmd := exec.Command("Powershell", "-Command", "Get-NetFirewallRule | where { $_.Action -eq \"Allow\" } | Get-NetFirewallPortFilter | where { $_.LocalPort -eq 5985 }")
+	Context("Firewall rule allowing port 5985 exists", func() {
+
+		BeforeEach(func() {
+			deleteAllWinRMFirewallRules()
+
+			err := setWinrmFirewall("allow")
+			Expect(err).ToNot(HaveOccurred())
+		})
+
+		It("closes the port", func() {
+			err := closeWinRMPort()
+			Expect(err).ToNot(HaveOccurred())
+
+			out, err := cmd.CombinedOutput()
+			s := string(out)
+
+			Expect(err).NotTo(HaveOccurred())
+			Expect(s).To(BeEmpty())
+		})
+
+		It("adds a blocking rule", itAddsABlockingRule)
+	})
+
+	Context("Firewall rule allowing port 5985 does NOT exist", func() {
+		BeforeEach(func() {
+			deleteAllWinRMFirewallRules()
+		})
+
+		It("does not error", func() {
+			err := closeWinRMPort()
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("adds a blocking rule", itAddsABlockingRule)
+	})
+})