(#17) Add TLS option for bootstrapping

Previously, the TLS configuration was set to allow both TLS 1.1 and
TLS 1.2.

With this change, users can explicitly set the TLS versions they want to
allow during bootstrapping. The default settings are to allow TLS 1.2
and 1.3, according to the TLS versions available on the client.

Also added some tests to verify the new behaviour.

chocolatey/plugins/module_utils/Packages.psm1

@@ -950,21 +950,26 @@ function Install-Chocolatey {
 
         [Parameter()]
         [string]
-        $BootstrapScript
+        $BootstrapScript,
+
+        [Parameter()]
+        [string[]]
+        $BootstrapTlsVersion
     )
 
     $chocoCommand = Get-ChocolateyCommand -IgnoreMissing
     if ($null -eq $chocoCommand) {
         # We need to install chocolatey
-        # Enable TLS1.1/TLS1.2 if they're available but disabled (eg. .NET 4.5)
+        # Enable necessary TLS versions if they're available but disabled.
+        # Default for win_chocolatey is to allow TLS 1.1, 1.2, and 1.3 (if available)
         $protocols = [System.Net.ServicePointManager]::SecurityProtocol -bor [System.Net.SecurityProtocolType]::SystemDefault
 
-        if ([System.Net.SecurityProtocolType].GetMember("Tls11").Count -gt 0) {
-            $protocols = $protocols -bor [System.Net.SecurityProtocolType]::Tls11
-        }
-
-        if ([System.Net.SecurityProtocolType].GetMember("Tls12").Count -gt 0) {
-            $protocols = $protocols -bor [System.Net.SecurityProtocolType]::Tls12
+        foreach ($tlsVersion in $BootstrapTlsVersion) {
+            # If the TLS version isn't available on the system, this will evaluate to $null and be skipped
+            $value = $tlsVersion -as [System.Net.SecurityProtocolType]
+            if ($value) {
+                $protocols = $protocols -bor $value
+            }
         }
 
         [System.Net.ServicePointManager]::SecurityProtocol = $protocols
@@ -1040,7 +1045,7 @@ function Install-Chocolatey {
         }
         catch {
             $message = "Failed to download Chocolatey script from '$scriptUrl'; $($_.Exception.Message)"
-            Assert-TaskFailed -Message $message -Exception $_
+            Assert-TaskFailed -Message $message -Exception $_.Exception
         }
 
         if (-not $Module.CheckMode) {

chocolatey/plugins/modules/win_chocolatey.ps1

@@ -33,6 +33,13 @@ function Get-ModuleSpec {
             allow_multiple        = @{ type = "bool"; default = $false; removed_in_version = '2.0.0'; removed_from_collection = 'chocolatey.chocolatey' }
             allow_prerelease      = @{ type = "bool"; default = $false }
             bootstrap_script      = @{ type = "str"; aliases = "install_ps1", "bootstrap_ps1" }
+            bootstrap_tls_version = @{
+                type = "list"
+                elements = "str"
+                choices = "tls11", "tls12", "tls13"
+                default = "tls12", "tls13"
+                aliases = "tls_version", "tls_versions", "bootstrap_tls_versions"
+            }
             architecture          = @{ type = "str"; default = "default"; choices = "default", "x86" }
             choco_args            = @{ type = "list"; elements = "str"; aliases = "licensed_args" }
             force                 = @{ type = "bool"; default = $false }
@@ -89,6 +96,7 @@ $source_username = $module.Params.source_username
 $source_password = $module.Params.source_password
 $state = $module.Params.state
 $timeout = $module.Params.timeout
+$bootstrap_tls_version = $module.Params.bootstrap_tls_version
 $validate_certs = $module.Params.validate_certs
 $version = $module.Params.version
 
@@ -100,6 +108,7 @@ if (-not $validate_certs) {
 
 # get the full path to choco.exe, otherwise install/upgrade to at least 0.10.5
 $installParams = @{
+    BootstrapTlsVersion = $bootstrap_tls_version
     ProxyUrl = $proxy_url
     ProxyUsername = $proxy_username
     ProxyPassword = $proxy_password

chocolatey/plugins/modules/win_chocolatey.py

@@ -84,6 +84,19 @@
     type: str
     version_added: '1.3.0'
     aliases: [ install_ps1, bootstrap_ps1 ]
+  bootstrap_tls_version:
+    description:
+    - Specify the TLS versions used when retrieving and invoking the I(bootstrap_script) to install
+      Chocolatey if it is not already installed on the system.
+    - Does not change the TLS versions used by Chocolatey itself after it has already been installed.
+    - Specified TLS versions may be ignored or unused if the target TLS version is not available on
+      the client.
+    type: list
+    elements: str
+    choices: [ tls11, tls12, tls13 ]
+    default: [ tls12, tls13 ]
+    version_added: '1.4.0'
+    aliases: [ bootstrap_tls_versions, tls_version, tls_versions ]
   force:
     description:
     - Forces the install of a package, even if it already is installed.

chocolatey/tests/integration/targets/setup_win_chocolatey/defaults/main.yml

@@ -1,6 +1,5 @@
 ---
 test_choco_path: '{{ win_output_dir }}\win_chocolatey'
-test_choco_bootstrap_script: '{{ win_output_dir }}\test-bootstrap.ps1'
 test_choco_source: '{{ test_choco_path }}\packages'
 test_choco_source2: '{{ test_choco_path }}\packages2'  # used to verify source works with the source name and not just the path
 test_choco_package1: ansible

chocolatey/tests/integration/targets/setup_win_chocolatey/tasks/main.yml

@@ -17,11 +17,6 @@
     src: files/test-package/
     dest: '{{ test_choco_path }}'
 
-- name: copy test bootstrap script
-  win_copy:
-    src: files/bootstrap.ps1
-    dest: '{{ test_choco_bootstrap_script }}'
-
 # run the setup in 1 shell script to save on test time
 - name: set up packages
   win_shell: |

chocolatey/tests/integration/targets/win_chocolatey/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+test_choco_bootstrap_script: '{{ win_output_dir }}/test-bootstrap.ps1'
+test_choco_backup: '{{ win_output_dir }}/backup/'
+choco_install_dir: 'C:/ProgramData/chocolatey/'

chocolatey/tests/integration/targets/win_chocolatey/tasks/bootstrap_tests.yml

@@ -0,0 +1,54 @@
+---
+- name: copy test bootstrap script
+  win_copy:
+    src: files/bootstrap.ps1
+    dest: '{{ test_choco_bootstrap_script }}'
+
+- name: backup Chocolatey installation
+  win_copy:
+    src: '{{ choco_install_dir }}'
+    dest: '{{ test_choco_backup }}'
+    remote_src: yes
+
+- name: ensure Chocolatey is not installed
+  win_file:
+    path: '{{ choco_install_dir }}'
+    state: absent
+
+- name: install Chocolatey using the test bootstrap script
+  win_chocolatey:
+    name: chocolatey
+    state: present
+    bootstrap_script: "{{ test_choco_bootstrap_script }}"
+
+- name: checking if the bootstrap file has been created
+  win_shell: Get-Content -Path "C:/temp/confirm-bootstrap.txt" -Raw
+  register: bootstrap_file_check
+
+- name: assert bootstrap file has been created
+  assert:
+    that:
+      - (bootstrap_file_check.stdout|from_json).bootstrap
+
+- name: ensure Chocolatey is not installed
+  win_file:
+    path: '{{ choco_install_dir }}'
+    state: absent
+
+- name: installing Chocolatey from Community Repository with TLS 1.1 only should fail
+  win_chocolatey:
+    name: chocolatey
+    bootstrap_tls_version: [ tls11 ]
+  register: test_tls_version
+  failed_when: not test_tls_version.failed
+
+- name: ensure no leftover files from failed install
+  win_file:
+    path: '{{ choco_install_dir }}'
+    state: absent
+
+- name: restore Chocolatey installation from backup
+  win_copy:
+    src: '{{ test_choco_backup }}'
+    dest: '{{ choco_install_dir }}'
+    remote_src: yes

chocolatey/tests/integration/targets/win_chocolatey/tasks/main.yml

@@ -1,6 +1,9 @@
 ---
 
 - block:
+  - name: run bootstrap tests
+    include_tasks: bootstrap_tests.yml
+
   - name: run tests
     include_tasks: tests.yml