From b7a2faf3639d52a7f0b41352094c28b082ac3543 Mon Sep 17 00:00:00 2001 From: ondrejs4 Date: Wed, 9 Nov 2022 22:05:10 +0100 Subject: [PATCH] personal installation fixes + repo_puller account not needed --- .../custom/Repo_sync/repo_sync.ps1 | 31 ++++++++-- stp.ps1 | 57 +++++++++++++++---- 2 files changed, 72 insertions(+), 16 deletions(-) diff --git a/repo_content_set_up/custom/Repo_sync/repo_sync.ps1 b/repo_content_set_up/custom/Repo_sync/repo_sync.ps1 index 9f2887a..16fea20 100644 --- a/repo_content_set_up/custom/Repo_sync/repo_sync.ps1 +++ b/repo_content_set_up/custom/Repo_sync/repo_sync.ps1 @@ -46,6 +46,10 @@ Import-Module Scripts -Function Send-Email -ErrorAction SilentlyContinue $lastSendEmail = Join-Path $logFolder "lastSendEmail" $treshold = 30 +# if runs as SYSTEM, it is being run on separate MGM server +# if runs as user, MGM server == computer where repository is managed == PERSONAL INSTALLATION TYPE +$runningAsSYSTEM = [Security.Principal.WindowsIdentity]::GetCurrent().IsSystem + # UNC path to (DFS) share, where repository data for clients are stored and therefore processed content will be copied $repository = "__REPLACEME__1" # UNC path to DFS repository (ie.: \\myDomain\dfs\repository) @@ -620,6 +624,13 @@ function _setPermissions { $writeUser = @($writeUser) + 'SYSTEM' } + # adding account which runs this script + # it is personal repo installation a.k.a. MGM server is the same as repository admin pc + # to avoid problems with this solution installer where user is added to repo_writer group, but his token doesn't have this permission yet. Therefore Repo_sync sched. task will fail and so the installation + if (!$runningAsSYSTEM) { + $writeUser = @($writeUser) + (whoami.exe) + } + $permissions = @() if (Test-Path $path -PathType Container) { @@ -718,7 +729,7 @@ try { if ($result -match "fatal: ") { throw $result } # resets the master branch to what you just fetched. The --hard option changes all the files in your working tree to match the files in origin/master "$(Get-Date -Format HH:mm:ss) - Discarding local changes" - $null = _startProcess git -argumentList "reset --hard origin/master" + $null = _startProcess git -argumentList "reset --hard" # delete untracked files and folders (generated modules etc) _startProcess git -argumentList "clean -fd" @@ -755,12 +766,20 @@ try { $result = _startProcess git -argumentList "clone --local `"__REPLACEME__2`" `"$clonedRepository`"" -outputErr2Std } else { # its URL - $acc = Import-Clixml "$PSScriptRoot\login.xml" - $l = $acc.UserName - $p = $acc.GetNetworkCredential().Password - # instead __REPLACEME__ use URL of your company repository (i.e. something like: dev.azure.com/ztrhgf/WUG_show/_git/WUG_show). Final URL will than be something like this: https://altLogin:altPassword@dev.azure.com/ztrhgf/WUG_show/_git/WUG_show) - $result = _startProcess git -argumentList "clone `"https://fakeAccount`:$p@__REPLACEME__2`" `"$clonedRepository`"" -outputErr2Std + if ($runningAsSYSTEM) { + $acc = Import-Clixml "$PSScriptRoot\login.xml" + $l = $acc.UserName + $p = $acc.GetNetworkCredential().Password + # instead __REPLACEME__ use URL of your company repository (i.e. something like: dev.azure.com/ztrhgf/WUG_show/_git/WUG_show). Final URL will than be something like this: https://altLogin:altPassword@dev.azure.com/ztrhgf/WUG_show/_git/WUG_show) + $result = _startProcess git -argumentList "clone `"https://fakeAccount`:$p@__REPLACEME__2`" `"$clonedRepository`"" -outputErr2Std + } else { + # running as USER + # this means that separate MGM server doesn't exist and repository processing is made on the same computer where repository is managed (admin computer) + # user credentials will be used instead of repo_puller + $result = _startProcess git -argumentList "clone `"https://__REPLACEME__2`" `"$clonedRepository`"" -outputErr2Std + } } + if ($result -match "fatal: ") { throw $result } } catch { Remove-Item $clonedRepository -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue diff --git a/stp.ps1 b/stp.ps1 index 9fbbab2..37f3731 100644 --- a/stp.ps1 +++ b/stp.ps1 @@ -652,6 +652,7 @@ Process { - Creates required scheduled tasks. - Repo_sync - Pulls data from your GIT repository and process them + - will be run under your account therefore use your credentials to access GIT repository - PS_env_set_up - Synchronizes client with already processed repository data - Starts VSC editor with your new repository, so you can start your testing immediately. :) @@ -717,7 +718,20 @@ Process { Clear-Host if (!$noEnvModification -and !$testInstallation) { - @" + if ($personalInstallation) { + @" +#################################### +# BEFORE YOU CONTINUE +#################################### + +- Create cloud or locally hosted GIT !private! repository (tested with Azure DevOps but probably will work also with GitHub etc). + - Clone this repository locally (git clone command). + + - NOTE: + - More details can be found at https://github.com/ztrhgf/Powershell_CICD_repository/blob/master/1.%20HOW%20TO%20INSTALL.md +"@ + } else { + @" #################################### # BEFORE YOU CONTINUE #################################### @@ -730,6 +744,7 @@ Process { - NOTE: - More details can be found at https://github.com/ztrhgf/Powershell_CICD_repository/blob/master/1.%20HOW%20TO%20INSTALL.md "@ + } _pressKeyToContinue } @@ -1409,7 +1424,7 @@ Your input will be stored to '$iniFile'. So next time you start this script, its } else { $userDomain = "$env:COMPUTERNAME.com" } - Write-Host "- Configuring repository '$userRepository'" -ForegroundColor Green + Write-Host "- Configuring repository '$userRepository' & commit and push the changes" -ForegroundColor Green " - activating GIT Hooks, creating symlink for PowerShell snippets, commiting&pushing changes, etc" if ($testInstallation -or (!$noEnvModification -and !(_skip))) { @@ -1475,15 +1490,24 @@ Your input will be stored to '$iniFile'. So next time you start this script, its $userRepoSync = Join-Path $userRepository "custom\Repo_sync" Write-Host "- Setting MGM server ($MGMServer)" -ForegroundColor Green if (!$testInstallation) { - @" + if ($personalInstallation) { + @" - copy Repo_sync folder to '$MGMRepoSync' - - install newest version of 'GIT' + - install 'GIT' + - create scheduled task 'Repo_sync' from 'Repo_sync.xml' + +"@ + } else { + @" + - copy Repo_sync folder to '$MGMRepoSync' + - install 'GIT' - create scheduled task 'Repo_sync' from 'Repo_sync.xml' - export 'repo_puller' account alternate credentials to '$MGMRepoSync\login.xml' (only SYSTEM account on $MGMServer will be able to read them!) - copy exported credentials from $MGMServer to $userRepoSync - commit&push exported credentials (so they won't be automatically deleted from $MGMServer, after this solution starts working) "@ + } } if ($testInstallation -or (!$noEnvModification -and !(_skip))) { @@ -1560,9 +1584,25 @@ Your input will be stored to '$iniFile'. So next time you start this script, its $Repo_syncXML = "$MGMRepoSync\Repo_sync.xml" " - creating scheduled task '$taskName' from $Repo_syncXML" + if ($personalInstallation) { + [xml]$Repo_syncXMLContent = Get-Content $Repo_syncXML + # replace SID for the current user ones a.k.a. the sched. task will be run as current user a.k.a. his credentials will be used to clone GIT repository instead of separate repo_puller account + $Repo_syncXMLContent.Task.Principals.Principal.UserId = ([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value + $LogonTypeChild = $Repo_syncXMLContent.CreateElement('LogonType', 'http://schemas.microsoft.com/windows/2004/02/mit/task') + $null = $Repo_syncXMLContent.Task.Principals.Principal.AppendChild($LogonTypeChild) + $Repo_syncXMLContent.Task.Principals.Principal.LogonType = 'S4U' + $Repo_syncXMLContent.save($Repo_syncXML) + } + _createSchedTask -xmlDefinition $Repo_syncXML -taskName $taskName - if ($ADInstallation -or $personalInstallation) { + if ($personalInstallation) { + # this task definition is customized for every repository user, therefore it doesn't make sense to save it into the repository, because no one else can use it + " - removing scheduled task '$taskName' definition $Repo_syncXML" + Remove-Item $Repo_syncXML -Force + } + + if ($ADInstallation) { " - exporting repo_puller account alternate credentials to '$MGMRepoSync\login.xml' (only SYSTEM account on $env:COMPUTERNAME will be able to read them!)" _exportCred -credential (Get-Credential -Message 'Enter credentials (that can be used in unattended way) for GIT "repo_puller" account, you created earlier') -runAs "NT AUTHORITY\SYSTEM" -xmlPath "$MGMRepoSync\login.xml" } @@ -1584,12 +1624,9 @@ Your input will be stored to '$iniFile'. So next time you start this script, its #endregion configure MGM server #region copy exported GIT credentials from MGM server to cloned GIT repo & commit them - if (!$testInstallation) { + if ($ADInstallation) { " - copying exported credentials from $MGMServer to $userRepoSync" - if ($personalInstallation) { - # copy locally - Copy-Item "$MGMRepoSync\login.xml" "$userRepoSync\login.xml" -Force - } elseif ($ADInstallation -and $notADAdmin) { + if ($notADAdmin) { # copy using previously created PSSession Copy-Item -FromSession $MGMServerSession "C:\Windows\Scripts\Repo_sync\login.xml" -Destination "$userRepoSync\login.xml" -Force } else {