Sign upLogin

cloudamatic/mu

View on GitHub
Star
cookbooks/mu-utility/recipes/rdp_gateway.rb

Summary

Maintainability
A
0 mins
Test Coverage
#
# Cookbook Name:: mu-utility
# Recipe:: rdp_gateway
#
# Copyright:: Copyright (c) 2014 eGlobalTech, Inc., all rights reserved
#
# Licensed under the BSD-3 license (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License in the root of the project or at
#
#     http://egt-labs.com/mu/LICENSE.html
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

if !platform_family?("windows")
  Chef::Log.info "I don't know how to enable RDP gateway behavior on a non-Windows host"
else

  powershell_script "Install Remote Desktop Gateway services" do
    guard_interpreter :powershell_script
    not_if "Import-Module RemoteDesktopServices"
    code <<-EOH
            Add-WindowsFeature -Name RDS-Gateway -IncludeAllSubFeature
    EOH
  end

  powershell_script "Configure Remote Desktop Gateway services" do
    guard_interpreter :powershell_script
    code <<-EOH
            Import-Module RemoteDesktopServices
            cd RDS:\\GatewayServer\\CAP
            New-Item -Name StandardAccess -UserGroups 'Remote Desktop Users@BUILTIN' -AuthMethod 1
            New-Item -Name AdminAccess -UserGroups 'Administrators@BUILTIN' -AuthMethod 1
            cd RDS:\\GatewayServer\\RAP
            New-Item -Name StandardAccess -UserGroups 'Remote Desktop Users@BUILTIN' -ComputerGroupType 2
            New-Item -Name AdminAccess -UserGroups 'Administrators@BUILTIN' -ComputerGroupType 2

            # This bleeding horror lifted from: http://blogs.technet.com/b/vishalagarwal/archive/2009/08/22/generating-a-certificate-self-signed-using-powershell-and-certenroll-interfaces.aspx
            $name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
            $name.Encode("CN=RDS", 0)

            $key = new-object -com "X509Enrollment.CX509PrivateKey.1"
            $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
            $key.KeySpec = 1
            $key.Length = 1024
            $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)"
            $key.MachineContext = 1
            $key.Create()

            $serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
            $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1")
            $ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
            $ekuoids.add($serverauthoid)
            $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
            $ekuext.InitializeEncode($ekuoids)

            $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"
            $cert.InitializeFromPrivateKey(2, $key, "")
            $cert.Subject = $name
            $cert.Issuer = $cert.Subject
            $cert.NotBefore = get-date
            $cert.NotAfter = $cert.NotBefore.AddDays(3650)
            $cert.X509Extensions.Add($ekuext)
            $cert.Encode()

            $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
            $enrollment.InitializeFromRequest($cert)
            $certdata = $enrollment.CreateRequest(0)
            $enrollment.InstallResponse(2, $certdata, 0, "")

            # Thumbprint bit: http://www.frontiertown.co.uk/jclouds/activate-winrm.ps1
            $thumbprints = Get-Childitem -path cert:\\LocalMachine\\My | Where-Object { $_.Subject -eq "CN=RDS" } | Select-Object -Property Thumbprint
            $thumbprint = @($thumbprints)[0].Thumbprint
            Set-Item -Path RDS:\\GatewayServer\\SSLCertificate\\Thumbprint -Value $thumbprint

            Restart-Service TSGateway
    EOH
  end
end