Skip to content

Commit

Permalink
personal installation fixes + repo_puller account not needed
Browse files Browse the repository at this point in the history
  • Loading branch information
ondrejs4 committed Nov 9, 2022
1 parent 408c57f commit b7a2faf
Show file tree
Hide file tree
Showing 2 changed files with 72 additions and 16 deletions.
31 changes: 25 additions & 6 deletions repo_content_set_up/custom/Repo_sync/repo_sync.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ Import-Module Scripts -Function Send-Email -ErrorAction SilentlyContinue
$lastSendEmail = Join-Path $logFolder "lastSendEmail"
$treshold = 30

# if runs as SYSTEM, it is being run on separate MGM server
# if runs as user, MGM server == computer where repository is managed == PERSONAL INSTALLATION TYPE
$runningAsSYSTEM = [Security.Principal.WindowsIdentity]::GetCurrent().IsSystem

# UNC path to (DFS) share, where repository data for clients are stored and therefore processed content will be copied
$repository = "__REPLACEME__1" # UNC path to DFS repository (ie.: \\myDomain\dfs\repository)

Expand Down Expand Up @@ -620,6 +624,13 @@ function _setPermissions {
$writeUser = @($writeUser) + 'SYSTEM'
}

# adding account which runs this script
# it is personal repo installation a.k.a. MGM server is the same as repository admin pc
# to avoid problems with this solution installer where user is added to repo_writer group, but his token doesn't have this permission yet. Therefore Repo_sync sched. task will fail and so the installation
if (!$runningAsSYSTEM) {
$writeUser = @($writeUser) + (whoami.exe)
}

$permissions = @()

if (Test-Path $path -PathType Container) {
Expand Down Expand Up @@ -718,7 +729,7 @@ try {
if ($result -match "fatal: ") { throw $result }
# resets the master branch to what you just fetched. The --hard option changes all the files in your working tree to match the files in origin/master
"$(Get-Date -Format HH:mm:ss) - Discarding local changes"
$null = _startProcess git -argumentList "reset --hard origin/master"
$null = _startProcess git -argumentList "reset --hard"
# delete untracked files and folders (generated modules etc)
_startProcess git -argumentList "clean -fd"

Expand Down Expand Up @@ -755,12 +766,20 @@ try {
$result = _startProcess git -argumentList "clone --local `"__REPLACEME__2`" `"$clonedRepository`"" -outputErr2Std
} else {
# its URL
$acc = Import-Clixml "$PSScriptRoot\login.xml"
$l = $acc.UserName
$p = $acc.GetNetworkCredential().Password
# instead __REPLACEME__ use URL of your company repository (i.e. something like: dev.azure.com/ztrhgf/WUG_show/_git/WUG_show). Final URL will than be something like this: https://altLogin:[email protected]/ztrhgf/WUG_show/_git/WUG_show)
$result = _startProcess git -argumentList "clone `"https://fakeAccount`:$p@__REPLACEME__2`" `"$clonedRepository`"" -outputErr2Std
if ($runningAsSYSTEM) {
$acc = Import-Clixml "$PSScriptRoot\login.xml"
$l = $acc.UserName
$p = $acc.GetNetworkCredential().Password
# instead __REPLACEME__ use URL of your company repository (i.e. something like: dev.azure.com/ztrhgf/WUG_show/_git/WUG_show). Final URL will than be something like this: https://altLogin:[email protected]/ztrhgf/WUG_show/_git/WUG_show)
$result = _startProcess git -argumentList "clone `"https://fakeAccount`:$p@__REPLACEME__2`" `"$clonedRepository`"" -outputErr2Std
} else {
# running as USER
# this means that separate MGM server doesn't exist and repository processing is made on the same computer where repository is managed (admin computer)
# user credentials will be used instead of repo_puller
$result = _startProcess git -argumentList "clone `"https://__REPLACEME__2`" `"$clonedRepository`"" -outputErr2Std
}
}

if ($result -match "fatal: ") { throw $result }
} catch {
Remove-Item $clonedRepository -Recurse -Force -Confirm:$false -ErrorAction SilentlyContinue
Expand Down
57 changes: 47 additions & 10 deletions stp.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -652,6 +652,7 @@ Process {
- Creates required scheduled tasks.
- Repo_sync
- Pulls data from your GIT repository and process them
- will be run under your account therefore use your credentials to access GIT repository
- PS_env_set_up
- Synchronizes client with already processed repository data
- Starts VSC editor with your new repository, so you can start your testing immediately. :)
Expand Down Expand Up @@ -717,7 +718,20 @@ Process {
Clear-Host

if (!$noEnvModification -and !$testInstallation) {
@"
if ($personalInstallation) {
@"
####################################
# BEFORE YOU CONTINUE
####################################
- Create cloud or locally hosted GIT !private! repository (tested with Azure DevOps but probably will work also with GitHub etc).
- Clone this repository locally (git clone command).
- NOTE:
- More details can be found at https://github.com/ztrhgf/Powershell_CICD_repository/blob/master/1.%20HOW%20TO%20INSTALL.md
"@
} else {
@"
####################################
# BEFORE YOU CONTINUE
####################################
Expand All @@ -730,6 +744,7 @@ Process {
- NOTE:
- More details can be found at https://github.com/ztrhgf/Powershell_CICD_repository/blob/master/1.%20HOW%20TO%20INSTALL.md
"@
}

_pressKeyToContinue
}
Expand Down Expand Up @@ -1409,7 +1424,7 @@ Your input will be stored to '$iniFile'. So next time you start this script, its
} else {
$userDomain = "$env:COMPUTERNAME.com"
}
Write-Host "- Configuring repository '$userRepository'" -ForegroundColor Green
Write-Host "- Configuring repository '$userRepository' & commit and push the changes" -ForegroundColor Green
" - activating GIT Hooks, creating symlink for PowerShell snippets, commiting&pushing changes, etc"

if ($testInstallation -or (!$noEnvModification -and !(_skip))) {
Expand Down Expand Up @@ -1475,15 +1490,24 @@ Your input will be stored to '$iniFile'. So next time you start this script, its
$userRepoSync = Join-Path $userRepository "custom\Repo_sync"
Write-Host "- Setting MGM server ($MGMServer)" -ForegroundColor Green
if (!$testInstallation) {
@"
if ($personalInstallation) {
@"
- copy Repo_sync folder to '$MGMRepoSync'
- install newest version of 'GIT'
- install 'GIT'
- create scheduled task 'Repo_sync' from 'Repo_sync.xml'
"@
} else {
@"
- copy Repo_sync folder to '$MGMRepoSync'
- install 'GIT'
- create scheduled task 'Repo_sync' from 'Repo_sync.xml'
- export 'repo_puller' account alternate credentials to '$MGMRepoSync\login.xml' (only SYSTEM account on $MGMServer will be able to read them!)
- copy exported credentials from $MGMServer to $userRepoSync
- commit&push exported credentials (so they won't be automatically deleted from $MGMServer, after this solution starts working)
"@
}
}

if ($testInstallation -or (!$noEnvModification -and !(_skip))) {
Expand Down Expand Up @@ -1560,9 +1584,25 @@ Your input will be stored to '$iniFile'. So next time you start this script, its
$Repo_syncXML = "$MGMRepoSync\Repo_sync.xml"
" - creating scheduled task '$taskName' from $Repo_syncXML"

if ($personalInstallation) {
[xml]$Repo_syncXMLContent = Get-Content $Repo_syncXML
# replace SID for the current user ones a.k.a. the sched. task will be run as current user a.k.a. his credentials will be used to clone GIT repository instead of separate repo_puller account
$Repo_syncXMLContent.Task.Principals.Principal.UserId = ([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value
$LogonTypeChild = $Repo_syncXMLContent.CreateElement('LogonType', 'http://schemas.microsoft.com/windows/2004/02/mit/task')
$null = $Repo_syncXMLContent.Task.Principals.Principal.AppendChild($LogonTypeChild)
$Repo_syncXMLContent.Task.Principals.Principal.LogonType = 'S4U'
$Repo_syncXMLContent.save($Repo_syncXML)
}

_createSchedTask -xmlDefinition $Repo_syncXML -taskName $taskName

if ($ADInstallation -or $personalInstallation) {
if ($personalInstallation) {
# this task definition is customized for every repository user, therefore it doesn't make sense to save it into the repository, because no one else can use it
" - removing scheduled task '$taskName' definition $Repo_syncXML"
Remove-Item $Repo_syncXML -Force
}

if ($ADInstallation) {
" - exporting repo_puller account alternate credentials to '$MGMRepoSync\login.xml' (only SYSTEM account on $env:COMPUTERNAME will be able to read them!)"
_exportCred -credential (Get-Credential -Message 'Enter credentials (that can be used in unattended way) for GIT "repo_puller" account, you created earlier') -runAs "NT AUTHORITY\SYSTEM" -xmlPath "$MGMRepoSync\login.xml"
}
Expand All @@ -1584,12 +1624,9 @@ Your input will be stored to '$iniFile'. So next time you start this script, its
#endregion configure MGM server

#region copy exported GIT credentials from MGM server to cloned GIT repo & commit them
if (!$testInstallation) {
if ($ADInstallation) {
" - copying exported credentials from $MGMServer to $userRepoSync"
if ($personalInstallation) {
# copy locally
Copy-Item "$MGMRepoSync\login.xml" "$userRepoSync\login.xml" -Force
} elseif ($ADInstallation -and $notADAdmin) {
if ($notADAdmin) {
# copy using previously created PSSession
Copy-Item -FromSession $MGMServerSession "C:\Windows\Scripts\Repo_sync\login.xml" -Destination "$userRepoSync\login.xml" -Force
} else {
Expand Down

0 comments on commit b7a2faf

Please sign in to comment.