Inspec: vmware-vsphere-7.0-stig-baseline, Unable to connect to VIServer

[pstearns]

Describe the bug

Using inspec with train-vmware-0.1.8.gem installed, vmware transport returns: Unable to connect to VIServer.
Attempted with vmware-vsphere-7.0-stig-baseline and calling specific sub profiles (esxi, vm, vcenter).
Environmental Variables are set: $env:VISERVER; $env:VISERVER_USERNAME; $env:VISERVER_PASSWORD

• When using $env:VISERVER_USERNAME="[email protected]"
  InSpec returns: Unable to connect to VIServer at vCenterName. Incorrect username or password.
  Note: [email protected] password has special characters including a $.
• ENV:Password set with single quotes: "$env:VISERVER_PASSWORD='Ex@mpl3P@$$w0rd'" (Just an example of special characters)
• Created local account testAccount with no special characters and set Env variables. This produces "Unable to connect to VIServer at vCenterName"

Thoughts:

• Special characters such as "$ or @" are not passing correctly.
• Or/And New local account doesn't have proper permission. Currently set as Administrator set at the Global level.
• Connect-SSOAdminServer is failing cert check

Inspec using ssh transport is working with the VCSA profile.
After installing train-vmware-0.1.8.gem, inspec commands also return: fatal: not a git repository: 'ext/ffi_c/libffi/.git'

In the README.md file it mentions needing Connect-SsoAdminServer. However, I could not locate where this is being called or where the train-vmware-0.1.8.gem is installed so I can further investigate the issue.

Tested:
WORKS: Connect-VIserver $env:VISERVER -user $env:VISERVER_USERNAME -password $env:VISERVER_PASSWORD
WORKS: Connect-SsoAdminServer -server $env:VISERVER -user $env:VISERVER_USERNAME -password $env:VISERVER_PASSWORD -SkipCertificateCheck
FAILS: Connect-SsoAdminServer -server $env:VISERVER -user $env:VISERVER_USERNAME -password $env:VISERVER_PASSWORD

Reproduction steps

RUNNING w/ ENV set to [email protected] with complex password:

1. $env:VISERVER = "vCenterName"
   

2. $env:VISERVER_USERNAME="[email protected]"
   

3. $env:VISERVER_PASSWORD='Ex@mpl3P@$$w0rd'
   

4. Modify inputs.yml
   

5. inspec exec /opt/dod-compliance-and-automation/vsphere/7.0/vsphere/inspec/vmware-vsphere-7.0-stig-baseline -t vmware:// --input-file ./inputs.yml
   

6. OUTPUT:
                   fatal: not a git repository (or any of the parent directories): .git
                   fatal: not a git repository: 'ext/ffi_c/libffi/.git'
                   fatal: not a git repository: 'ext/ffi_c/libffi/.git'
                   fatal: not a git repository (or any of the parent directories): .git
                   fatal: not a git repository (or any of the parent directories): .git
                   fatal: not a git repository: 'ext/ffi_c/libffi/.git'
                   fatal: not a git repository: 'ext/ffi_c/libffi/.git'
                   fatal: not a git repository (or any of the parent directories): .git
                   Unable to connect to VIServer at vCenterName. Incorrect username or password
   

OR CREATE LOCAL ADMIN w/ simple password:

1. $env:VISERVER = "vCenterName"
   

2. $env:VISERVER_USERNAME="[email protected]"
   

3. $env:VISERVER_PASSWORD='ExamplePassword'
   

4. Modify inputs.yml
   

5. inspec exec /opt/dod-compliance-and-automation/vsphere/7.0/vsphere/inspec/vmware-vsphere-7.0-stig-baseline -t vmware:// --input-file ./inputs.yml
   

6. OUTPUT:
                   fatal: not a git repository (or any of the parent directories): .git
                   fatal: not a git repository: 'ext/ffi_c/libffi/.git'
                   fatal: not a git repository: 'ext/ffi_c/libffi/.git'
                   fatal: not a git repository (or any of the parent directories): .git
                   fatal: not a git repository (or any of the parent directories): .git
                   fatal: not a git repository: 'ext/ffi_c/libffi/.git'
                   fatal: not a git repository: 'ext/ffi_c/libffi/.git'
                   fatal: not a git repository (or any of the parent directories): .git
                   Unable to connect to VIServer at vCenterName.
   

RUNNING WITHOUT train-vmware-0.1.8.gem installed:
OUTPUT:
Unable to determine PowerCLI Module version, is it installed?
...

Expected behavior

Connect to vCenter to run InSpec.

Additional context

OS: RHEL 8.6
InSpec: 5.18.14
Ruby: 2.7.4p191
Powershell: 7.2.5 Core
PowerCLI: 12.7.0
VMware.vSphere.SsoAdmin: 1.3.8

[rlakey]

It looks like you are running this from a Powershell Core prompt and not bash on a RHEL box correct?

Try setting this before you run. You are probably hitting this silly issue PowerShell/PowerShell#17020

$env:NO_COLOR=$true

Also the transport is probably installed in this path of the user that installed it ~/.inspec/gems/2.7.0/gems/train-vmware-0.1.8

Relevant code you are probably looking for is...

  `def connect
    login_command = "Connect-VIServer #{options[:viserver]} -User #{options[:username]} -Password #{options[:password]} | Out-Null"
    result = run_command_via_connection(login_command)

    if result.exit_status != 0
      message = "Unable to connect to VIServer at #{options[:viserver]}. "
      case result.stderr
      when /Invalid server certificate/
        message += "Certification verification failed. Please use '--insecure' or set 'Set-PowerCLIConfiguration -InvalidCertificateAction Ignore` in PowerShell"
      when /incorrect user name or password/
        message += "Incorrect username or password"
      else
        message += result.stderr.gsub(/-Password .*\s/, "-Password REDACTED")
      end

      raise message
    end

    sso_command = "Connect-SsoAdminServer -Server #{options[:viserver]} -User #{options[:username]} -Password #{options[:password]} -SkipCertificateCheck | Out-Null"
    result = run_command_via_connection(sso_command)

    if result.exit_status != 0
      message = "Unable to connect to SSO Admin Server at #{options[:viserver]}. "
      case result.stderr
      when /Invalid server certificate/
        message += "Certification verification failed. Please use `--insecure` or set `Set-PowerCLIConfiguration -InvalidCertificateAction Ignore` in PowerShell"
      when /Invalid credentials/
        message += "Invalid credentials"
      else
        message += result.stderr.gsub(/-Password .*\s/, "-Password REDACTED")
      end

      raise message
    end
  end`

[HerbBoy]

I still have an issue opened in inspec/train if you all could bump it might get them to fix it although I have a few issues I have my eye on and it feels development has become stagnate.

[pstearns]

@rlakey Correct, I am running these from the Powershell Core prompt

The "$env:NO_COLOR=$true seemed" fix the "Unable to determine PowerShell module" while "train-vmware-0.1.8.gem" is not installed.

However, I am still having issues with dealing with passwords that contain "$".
I attempted to modify this in the transport.rb and connection.rb but admittedly I am still learning.

• Any suggestions on how to properly pass/escape the "$" in the password?

Regarding the train-vmware-0.1.8.gem:

• I am still getting the "fatal: not a git repository: 'ext/ffi_c/libffi/.git'" when installed.
• Can "~/.inspec/gems/2.7.0/gems/train-vmware-0.1.8" be moved/installed directly to the InSpec dir (/opt/inspec/embedded/lib/ruby/gems/2.7.0/gems/)

[rlakey]

Should be just single quotes to deal with the $.

You can also try just running it from bash and not dropping directly into pwsh. The way it works is it will launch a new powershell session anyway so you don't already have to be in one.

I see the "fatal: not a git repository: 'ext/ffi_c/libffi/.git'" errors as well in some cases. I don't remember if i tracked that all the way down but if i recall for whatever reason it's installing another instance of those dependencies and they exist in a few places.

I don't know if you can directly install it there but you could certainly just overwrite it. But mine is spread over the 3 files where there only one is just 1. The train development examples have things split up so I just followed that and broke things out.

The transport I did was mainly to fix the powershell detection issue and to add in the Connect-SsoAdminServer part so we could also check some of the vCenter SSO stuff.

[pstearns]

For clarification:
$ENV:NO_COLOR - UNSET
OUTPUT w/ train-vmware-0.1.8.gem = Unable to connect to VIServer at $VIServer
OUTPUT w/o train-vmware-0.1.8.gem = Unable to determine PowerCLI Module version, is it installed?
$ENV:NO_COLOR=$true - fixes this issue for both.

Running from bash or pwsh and password has $ = Unable to connect to VIServer at $VIServer. Incorrect username or password
Using single quotes while setting $ENV:VISERVER_PASSWORD does not resolve.

@rlakey Good info and thanks again for your ongoing support on this project.

[rlakey]

Some more data points.

On Windows with Powershell Core 7.2.7 a password with ! and @ works without $ENV:NO_COLOR=$true

On Ubuntu 20.04 (WSL on Windows) from bash and pwsh 7.2.7 with variables exported:

Unable to connect to VIServer at 10.x.x.56 with username [email protected] and password XXXXXX@!123 Exit status: 1 Result: #<struct Train::Extras::CommandResult stdout="!123\n\e[?1l\n\e[32;1mName Port User\e[0m\n\e[32;1m---- ---- ----\e[0m\n10.184.111.56 443 VSPHERE.LOCAL\\Administrator\n\n", stderr="", exit_status=1>

I added some additional output to the transport so i could see the username/password and see the result of the command. You can see my password is cutoff and i see the ANSI escape characters injected into the output. I also didn't see a failed login attempt to vCenter so this tells me the command is also not executing correctly at all and not just with a bad password.

If i drop into pwsh on the same box and run it I get the same results.

If i set $ENV:NO_COLOR=$true and run it then it works from pwsh.

[rlakey]

For reference as well this is what the output looks like without the escape characters.

#<struct Train::Extras::CommandResult stdout="\nName Port User\n---- ---- ----\n10.X.X.56 443 VSPHERE.LOCAL\\Administrator\n\n", stderr="", exit_status=0>

[pstearns]

I was able to fix this by adding single quotes around the password where the login_command is being created.

def connect login_command = "Connect-VIServer #{options[:viserver]} -User #{options[:username]} -Password '#{options[:password]}' | Out-Null" result = run_command_via_connection(login_command)

Note: I am testing this with the built-in train and modified the following file:
./inspec/embedded/lib/ruby/gems/2.7.0/gems/train-3.10.1/lib/train/transport/vmware.rb

[rlakey]

Good catch since it was logging the correct password I missed that. I'll make that update next time i get a chance and make sure it works on Windows as well.

[rlakey]

a2535db