Merge pull request #88 from vexx32/17-allow-selecting-tls-versions

(#17) win_chocolatey - Add TLS option for bootstrapping

chocolatey/plugins/module_utils/Packages.psm1

@@ -950,21 +950,26 @@ function Install-Chocolatey {
 
         [Parameter()]
         [string]
-        $BootstrapScript
+        $BootstrapScript,
+
+        [Parameter()]
+        [string[]]
+        $BootstrapTlsVersion
     )
 
     $chocoCommand = Get-ChocolateyCommand -IgnoreMissing
     if ($null -eq $chocoCommand) {
         # We need to install chocolatey
-        # Enable TLS1.1/TLS1.2 if they're available but disabled (eg. .NET 4.5)
+        # Enable necessary TLS versions if they're available but disabled.
+        # Default for win_chocolatey is to allow TLS 1.1, 1.2, and 1.3 (if available)
         $protocols = [System.Net.ServicePointManager]::SecurityProtocol -bor [System.Net.SecurityProtocolType]::SystemDefault
 
-        if ([System.Net.SecurityProtocolType].GetMember("Tls11").Count -gt 0) {
-            $protocols = $protocols -bor [System.Net.SecurityProtocolType]::Tls11
-        }
-
-        if ([System.Net.SecurityProtocolType].GetMember("Tls12").Count -gt 0) {
-            $protocols = $protocols -bor [System.Net.SecurityProtocolType]::Tls12
+        foreach ($tlsVersion in $BootstrapTlsVersion) {
+            # If the TLS version isn't available on the system, this will evaluate to $null and be skipped
+            $value = $tlsVersion -as [System.Net.SecurityProtocolType]
+            if ($value) {
+                $protocols = $protocols -bor $value
+            }
         }
 
         [System.Net.ServicePointManager]::SecurityProtocol = $protocols
@@ -1040,7 +1045,7 @@ function Install-Chocolatey {
         }
         catch {
             $message = "Failed to download Chocolatey script from '$scriptUrl'; $($_.Exception.Message)"
-            Assert-TaskFailed -Message $message -Exception $_
+            Assert-TaskFailed -Message $message -Exception $_.Exception
         }
 
         if (-not $Module.CheckMode) {

chocolatey/plugins/modules/win_chocolatey.ps1

@@ -33,6 +33,13 @@ function Get-ModuleSpec {
             allow_multiple        = @{ type = "bool"; default = $false; removed_in_version = '2.0.0'; removed_from_collection = 'chocolatey.chocolatey' }
             allow_prerelease      = @{ type = "bool"; default = $false }
             bootstrap_script      = @{ type = "str"; aliases = "install_ps1", "bootstrap_ps1" }
+            bootstrap_tls_version = @{
+                type = "list"
+                elements = "str"
+                choices = "tls11", "tls12", "tls13"
+                default = "tls12", "tls13"
+                aliases = "tls_version", "tls_versions", "bootstrap_tls_versions"
+            }
             architecture          = @{ type = "str"; default = "default"; choices = "default", "x86" }
             choco_args            = @{ type = "list"; elements = "str"; aliases = "licensed_args" }
             force                 = @{ type = "bool"; default = $false }
@@ -89,6 +96,7 @@ $source_username = $module.Params.source_username
 $source_password = $module.Params.source_password
 $state = $module.Params.state
 $timeout = $module.Params.timeout
+$bootstrap_tls_version = $module.Params.bootstrap_tls_version
 $validate_certs = $module.Params.validate_certs
 $version = $module.Params.version
 
@@ -100,6 +108,7 @@ if (-not $validate_certs) {
 
 # get the full path to choco.exe, otherwise install/upgrade to at least 0.10.5
 $installParams = @{
+    BootstrapTlsVersion = $bootstrap_tls_version
     ProxyUrl = $proxy_url
     ProxyUsername = $proxy_username
     ProxyPassword = $proxy_password

chocolatey/plugins/modules/win_chocolatey.py

@@ -84,6 +84,19 @@
     type: str
     version_added: '1.3.0'
     aliases: [ install_ps1, bootstrap_ps1 ]
+  bootstrap_tls_version:
+    description:
+    - Specify the TLS versions used when retrieving and invoking the I(bootstrap_script) to install
+      Chocolatey if it is not already installed on the system.
+    - Does not change the TLS versions used by Chocolatey itself after it has already been installed.
+    - Specified TLS versions may be ignored or unused if the target TLS version is not available on
+      the client.
+    type: list
+    elements: str
+    choices: [ tls11, tls12, tls13 ]
+    default: [ tls12, tls13 ]
+    version_added: '1.4.0'
+    aliases: [ bootstrap_tls_versions, tls_version, tls_versions ]
   force:
     description:
     - Forces the install of a package, even if it already is installed.

chocolatey/tests/integration/targets/setup_win_chocolatey/defaults/main.yml

@@ -1,6 +1,5 @@
 ---
 test_choco_path: '{{ win_output_dir }}\win_chocolatey'
-test_choco_bootstrap_script: '{{ win_output_dir }}\test-bootstrap.ps1'
 test_choco_source: '{{ test_choco_path }}\packages'
 test_choco_source2: '{{ test_choco_path }}\packages2'  # used to verify source works with the source name and not just the path
 test_choco_package1: ansible

chocolatey/tests/integration/targets/setup_win_chocolatey/tasks/main.yml

@@ -17,11 +17,6 @@
     src: files/test-package/
     dest: '{{ test_choco_path }}'
 
-- name: copy test bootstrap script
-  win_copy:
-    src: files/bootstrap.ps1
-    dest: '{{ test_choco_bootstrap_script }}'
-
 # run the setup in 1 shell script to save on test time
 - name: set up packages
   win_shell: |

chocolatey/tests/integration/targets/win_chocolatey/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+test_choco_bootstrap_script: '{{ win_output_dir }}/test-bootstrap.ps1'
+test_choco_backup: '{{ win_output_dir }}/backup/'
+choco_install_dir: 'C:/ProgramData/chocolatey/'

chocolatey/tests/integration/targets/win_chocolatey/tasks/bootstrap_tests.yml

@@ -0,0 +1,54 @@
+---
+- name: copy test bootstrap script
+  win_copy:
+    src: files/bootstrap.ps1
+    dest: '{{ test_choco_bootstrap_script }}'
+
+- name: backup Chocolatey installation
+  win_copy:
+    src: '{{ choco_install_dir }}'
+    dest: '{{ test_choco_backup }}'
+    remote_src: yes
+
+- name: ensure Chocolatey is not installed
+  win_file:
+    path: '{{ choco_install_dir }}'
+    state: absent
+
+- name: install Chocolatey using the test bootstrap script
+  win_chocolatey:
+    name: chocolatey
+    state: present
+    bootstrap_script: "{{ test_choco_bootstrap_script }}"
+
+- name: checking if the bootstrap file has been created
+  win_shell: Get-Content -Path "C:/temp/confirm-bootstrap.txt" -Raw
+  register: bootstrap_file_check
+
+- name: assert bootstrap file has been created
+  assert:
+    that:
+      - (bootstrap_file_check.stdout|from_json).bootstrap
+
+- name: ensure Chocolatey is not installed
+  win_file:
+    path: '{{ choco_install_dir }}'
+    state: absent
+
+- name: installing Chocolatey from Community Repository with TLS 1.1 only should fail
+  win_chocolatey:
+    name: chocolatey
+    bootstrap_tls_version: [ tls11 ]
+  register: test_tls_version
+  failed_when: not test_tls_version.failed
+
+- name: ensure no leftover files from failed install
+  win_file:
+    path: '{{ choco_install_dir }}'
+    state: absent
+
+- name: restore Chocolatey installation from backup
+  win_copy:
+    src: '{{ test_choco_backup }}'
+    dest: '{{ choco_install_dir }}'
+    remote_src: yes

chocolatey/tests/integration/targets/win_chocolatey/tasks/main.yml

@@ -1,6 +1,9 @@
 ---
 
 - block:
+  - name: run bootstrap tests
+    include_tasks: bootstrap_tests.yml
+
   - name: run tests
     include_tasks: tests.yml