Le blog technique

Toutes les astuces #tech des collaborateurs de PI Services.

#openblogPI

Voir tous les articles

Retrouvez les articles à la une

AutoPilot: Post ESP – Installation des applications Win32 sous Intune

par | 11 Juin 2026 | , , ,

Dans les environnements d’entreprise, nous devons répondre à de nombreuses exigences en matière de gestion des applications. L’un des défis les plus courants consiste à contrôler le moment d’installation des applications durant le processus d’enrôlement, notamment avec Windows Autopilot.

Prenons un exemple : vous avez comme prérequis que l’application « X » soit disponible dès que le bureau Windows est affiché (Windows Desktop loaded) et prête à être utilisée par l’utilisateur à l’issue du déploiement Autopilot. L’application ne doit être installée ni trop tôt afin de ne pas impacter l’expérience d’enrôlement, ni trop tard afin de garantir sa disponibilité immédiate dès l’arrivée sur le bureau.

L’objectif de ce blog est de s’assurer que l’application X ne s’installe qu’une fois l’ESP (Enrollment Status Page) terminée, à travers deux scripts PowerShell déployés via une application Win32.

Script 2 : contrôle l’installation de l’application en fonction de l’état du processus ESP.

Script 1 : copie les fichiers sources et crée une tâche planifiée qui exécutera le Script 2.

Actions effectuées

• Crée le dossier *C:\ProgramData\XXX\XXXX* s’il n’existe pas.
• Copie tous les fichiers du package (MSI/EXE + 2 scripts) dans ce dossier.
• Met à jour les fichiers du package lorsqu’une nouvelle version du MSI/EXE est détectée.
• Crée une tâche planifiée nommée « XXXX_PostESP_Install » afin d’installer notre application (XXXX) lors de la première connexion de l’utilisateur.

FichierRole
Copy-XXXX-task.ps1Crée le répertoire d’installation, remplace le fichier d’installation lorsqu’une nouvelle version est détectée, puis crée la tache planifiée qui sera exécutée à la suite de l’ouverture du session Windows.
Install_XXXX_PostESP.ps1Vérifie que l’Enrollment Status Page (ESP) est terminée et, le cas échéant, que la configuration de WHFB est également finalisée.
Une fois ces vérifications effectuées, le script lance l’installation de l’application
XXXX.msi/.exeFichier d’installation de l’application (quel que soit son format .msi ou .exe)

NB: les trois fichiers listés dans le tableau, doivent etre présents ensemble dans le meme répertoire ava,t la création du package Intune.

Ces deux scripts seront encapsuler dans fichier .intunewin puis le crée une application WIN32 comme suit:
Program:
Install command: Powershell.exe -ExecutionPolicy Bypass .\Copy-XXXX-task.ps1
Uninstall command: cmd.exe /c
Rule type: File
Path: C:\ProgramData\XXXX\XXXX
File or folder : « Fichier d’installation de l’application MSI/EXE »
Detection method: File or folder exists

La méthode de détection et les deux scripts peuvent être modifier selon vos besoins

Exemple fichier log génerer par le script d’installation:

Copy-XXXX-task.ps1 :

# ============================================================
# Copy-XXXX-task.ps1 - Payload Script (runs at AutoPilot phase 2)
# Purpose : Update source files if needed and create scheduled task.
#
# Triggered by : Intune application deployement services"
# RunAs        : SYSTEM
# Author       : Lazher YAAKOUBI
# Version      : 2.7.2
# ============================================================

# Folder where XXXX installation files must be copied
$XXXX = "C:\ProgramData\XXXX\XXXX"
$LogFile  = "$env:WINDIR\Temp\XXXX-Copy-TaskCreation.log"

# Find the MSI and script files
$InstallerSourceMSI = Get-ChildItem -Path $PSScriptRoot -Filter "*.msi" | Select-Object -First 1
$InstallerSourcePS1 = Get-ChildItem -Path $PSScriptRoot -Filter "*.ps1" | Where-Object { $_.Name -like "*Install_XXXX*" } | Select-Object -First 1

function Write-Log {
    param([string]$Message)
    $line = "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') : $Message"
    Add-Content -Path $LogFile -Value $line -ErrorAction SilentlyContinue
}


# Check source files existance MSI&PS1
if (-not $InstallerSourceMSI) {
    Write-Log "Error: No MSI file found in $PSScriptRoot."
    exit
}

if (-not $InstallerSourcePS1) {
    Write-Log "Error: No installation script found in $PSScriptRoot."
    exit
}

$InstallerName = $InstallerSourceMSI.Name
$InstallerSource = $InstallerSourceMSI.FullName
$ScriptName = $InstallerSourcePS1.Name
$ScriptSource = $InstallerSourcePS1.FullName

$InstallerDest = Join-Path $XXXX $InstallerName
$ScriptDest    = Join-Path $XXXX $ScriptName

# Name of the scheduled task
$TaskName = "XXXXInstallIfMissing"

# Check if folder exists
if (-Not (Test-Path $XXXX)) {
    #
    try {
        New-Item -ItemType Directory -Path $XXXX -Force | Out-Null
        Write-Log "Folder $XXXX created successfully."
    } catch {
        Write-Log "Error: Failed to create folder $XXXX. $_"
        exit
    }

    Copy-Item -Path $InstallerSource -Destination $InstallerDest -Force
    Copy-Item -Path $ScriptSource    -Destination $ScriptDest    -Force
} else {
    Write-Log "XXXX folder already exists. Checking for updates..."

    # Update MSI if needed
    $ExistingMSI = Get-ChildItem -Path $XXXX -Filter "*.msi" -File
    if ($ExistingMSI) {
        $ExistingMSIVersion = [System.IO.Path]::GetFileNameWithoutExtension($ExistingMSI.Name) -replace 'XXXX-windows-', '' -replace '-x64', '' -replace '-corp', ''
        $NewMSIVersion      = [System.IO.Path]::GetFileNameWithoutExtension($InstallerName)    -replace 'XXXX-windows-', '' -replace '-x64', '' -replace '-corp', ''

        # Version comparison
        if (([version]$ExistingMSIVersion) -lt ([version]$NewMSIVersion)) {
            Write-Log "Newer MSI version detected ($NewMSIVersion). Updating..."
            Remove-Item -Path "$XXXX\*" -Force
            Copy-Item -Path $InstallerSource -Destination $InstallerDest -Force
            Copy-Item -Path $ScriptSource -Destination $InstallerDest -Force
        } else {
            Write-Log "Existing MSI version ($ExistingMSIVersion) is up to date."
        }
    } else {
        Copy-Item -Path $InstallerSource -Destination $InstallerDest -Force
    }

    # Always overwrite the script so it stays in sync with the MSI
    Copy-Item -Path $ScriptSource -Destination $ScriptDest -Force
    Write-Log "Installation script updated."
}

# Check if the scheduled task already exists
$ExistingTask = Get-ScheduledTask -TaskName $TaskName -ErrorAction SilentlyContinue
if ($ExistingTask) {
    Write-Log "Scheduled task '$TaskName' already exists. Skipping creation."
} else {
    # Define scheduled task action
    $Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -WindowStyle Hidden -File `"$ScriptDest`""

    # Define trigger
    $TriggerAtLogon = New-ScheduledTaskTrigger -AtLogOn

    # Define task principal (run as SYSTEM)
    $Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest

    # Define settings
    $Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Days 0)

    # Register the task
    try {
        Register-ScheduledTask -TaskName $TaskName -Action $Action -Trigger $TriggerAtLogon -Principal $Principal -Settings $Settings -Force -ErrorAction Stop
        Write-Log "Scheduled task '$TaskName' created successfully." #| Out-File -FilePath "$env:WINDIR\Temp\TaskCreation.log" -Append
    } catch {
        Write-Log "Failed to create scheduled task: $_" #| Out-File -FilePath "$env:WINDIR\Temp\TaskCreation.log" -Append
    }
}

Install_XXXX_PostESP.ps1:
• Nombre maximal de tentatives : 30
• Délai entre chaque tentative : 5 minutes
• Si les 30 tentatives échouent : la tâche planifiée reste active et une nouvelle tentative sera effectuée lors de la prochaine connexion de l’utilisateur.

# ============================================================
# Install_XXXX_PostESP.ps1 - Payload Script (runs at logon)
# Purpose : Wait for Autopilot ESP Phase 3 to finish, then
#           install XXXX MSI with retry logic.
#
# Triggered by : Scheduled Task "XXXXInstallIfMissing"
# RunAs        : SYSTEM
# Author       : Lazher YAAKOUBI
# Version      : 2.7.2
# ============================================================

$XXXX  = "C:\ProgramData\XXXX\XXXX_Source"
$LogPath        = "$env:WINDIR\Temp\install_XXXX.log"
$LogFile        = "$env:WINDIR\Temp\XXXX-install-attempt.log"
$TaskName       = "XXXXInstallIfMissing"
$filePath       = "C:\Program Files\XXXX\XXXX.exe"

# Check MSI file...
$InstallerSourceMSI = Get-ChildItem -Path $XXXX -Filter "*.msi" | Select-Object -First 1
if (-not $InstallerSourceMSI) {
    
    Add-Content -Path $LogFile -Value "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') : ERROR - No MSI found in $XXXX. Exiting." -ErrorAction SilentlyContinue
    exit 1
}

$InstallerName = $InstallerSourceMSI.Name
$InstallerPath = Join-Path $XXXX $InstallerName

# e.g. "XXXX-windows-4.2.0.172-x64" -> "4.2.0.172"
$MSIVersion = [System.IO.Path]::GetFileNameWithoutExtension($InstallerPath) `
              -replace 'XXXX-windows-', '' `
              -replace '-x64', '' `
              -replace '-corp', '' `
              -replace '-[a-zA-Z].*$', ''   # catch any other suffix

function Write-Log {
    param([string]$Message)
    $line = "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') : $Message"
    Add-Content -Path $LogFile -Value $line -ErrorAction SilentlyContinue
}

# -------------------------------------------------------
# 0. Guard : skip if XXXX is already installed
# -------------------------------------------------------
if (Test-Path $filePath) {
    # Normalise FileVersion
    $rawFileVersion = (Get-Item $filePath).VersionInfo.FileVersion -replace '\s.*$', ''

    if ($rawFileVersion -eq $MSIVersion) {
        Write-Log "XXXX $rawFileVersion already installed - removing scheduled task and exiting."

        if (Get-ScheduledTask -TaskName $TaskName -ErrorAction SilentlyContinue) {
            Unregister-ScheduledTask -TaskName $TaskName -Confirm:$false -ErrorAction SilentlyContinue
            Write-Log "Scheduled task '$TaskName' removed."
        } else {
            Write-Log "Scheduled task '$TaskName' does not exist."
        }

        exit 0
    } else {
        Write-Log "Installed version ($rawFileVersion) differs from MSI version ($MSIVersion) - proceeding with installation."
    }
}

Write-Log "Waiting for ESP completion (using IME-equivalent checks)..."

$espWaitSeconds = 0
$espMaxWait     = 18000  # 5 h
$pollInterval   = 15     # seconds between checks

# ---------- Check 1: IsSyncDone ----------
function Test-IsSyncDone {
    $enrollments = Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Enrollments" -ErrorAction SilentlyContinue
    foreach ($enrollment in $enrollments) {
        $providerID = (Get-ItemProperty -Path $enrollment.PSPath -Name "ProviderID" -ErrorAction SilentlyContinue).ProviderID
        if ($providerID -ne "MS DM Server") { continue }

        $firstSyncPath = Join-Path $enrollment.PSPath "FirstSync"
        $userSidKeys = Get-ChildItem -Path $firstSyncPath -ErrorAction SilentlyContinue
        foreach ($sidKey in $userSidKeys) {
            $isSyncDone = (Get-ItemProperty -Path $sidKey.PSPath -Name "IsSyncDone" -ErrorAction SilentlyContinue).IsSyncDone
            if ($isSyncDone -eq 1) { return $true }
        }
    }
    return $false
}

# ---------- Check 2: Sidecar InstallationState ----------update must be performed to resolve issues related to failed autopilot device!!!
function Test-SidecarCompleted {
    $enrollments = Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Enrollments" -ErrorAction SilentlyContinue
    foreach ($enrollment in $enrollments) {
        $sidecarPath = Join-Path $enrollment.PSPath "PolicyProviders\Sidecar"
        $state = (Get-ItemProperty -Path $sidecarPath -Name "InstallationState" -ErrorAction SilentlyContinue).InstallationState
        if ($state -eq "Completed") { return $true }
    }
    # If Sidecar key doesn't exist at all, it's not blocking ESP
    return $true
}

# ---------- Check 3: HasProvisioningCompleted (WMI) ----------
function Test-HasProvisioningCompleted {
    try {
        $result = Get-WmiObject -Namespace "root\cimv2\mdm\dmmap" `
            -Query "SELECT HasProvisioningCompleted FROM MDM_EnrollmentStatusTracking_Setup01" `
            -ErrorAction Stop
        if ($null -ne $result -and $result.HasProvisioningCompleted -eq $true) { return $true }
    } catch {
        return $true
    }
    return $false
}

# ---------- Check 4: TrackingPoliciesCreated (WMI) ----------
function Test-TrackingPoliciesCreated {
    try {
        $result = Get-WmiObject -Namespace "root\cimv2\mdm\dmmap" `
            -Query "SELECT TrackingPoliciesCreated FROM MDM_EnrollmentStatusTracking_PolicyProviders03_01" `
            -ErrorAction Stop
        if ($null -ne $result -and $result.TrackingPoliciesCreated -eq $true) { return $true }
    } catch {
        return $true
    }
    return $false
}

# ---------- Check 5: WWAHost.exe Running ----------
function Test-WWAHostVisible {
    $wwa = Get-Process -Name "WWAHost" -ErrorAction SilentlyContinue |
           Where-Object { $_.SessionId -gt 0 }
    return ($null -ne $wwa)
}

# ---------- Main polling loop ----------
do {
    $c1 = Test-IsSyncDone
    $c2 = Test-SidecarCompleted
    $c3 = Test-HasProvisioningCompleted
    $c4 = Test-TrackingPoliciesCreated
    $c5 = Test-WWAHostVisible

    Write-Log ("ESP/WHfB status at ${espWaitSeconds}s - " +
               "IsSyncDone=$c1 | SidecarCompleted=$c2 | " +
               "HasProvisioningCompleted=$c3 | TrackingPoliciesCreated=$c4 | " +
               "WWAHostVisible=$c5")

    if ($c1 -and $c2 -and $c3 -and $c4 -and (-not $c5)) {
        Write-Log "All checks passed - ESP done and WWAHost closed. Proceeding after ${espWaitSeconds}s."
        break
    }

    Start-Sleep -Seconds $pollInterval
    $espWaitSeconds += $pollInterval

} while ($espWaitSeconds -lt $espMaxWait)

# -------------------------------------------------------
# 2. INSTALL XXXX WITH RETRY LOGIC
# -------------------------------------------------------
if (-Not (Test-Path $InstallerPath)) {
    Write-Log "ERROR: Installer not found at $InstallerPath"
    exit 1
}

# This line must be updated with the appropriate code for your application!!!!
$msiArgs = "/i `"$InstallerPath`" /qn /l*v `"$LogPath`" " +
           "STRICTENFORCEMENT=1 " +
           "CLOUDNAME=XXXX " +
           "USERDOMAIN=XXXX " +
           "POLICYTOKEN=391083766XXXXXXXXXXXXXXXXXX " +
           "REBOOT=ReallySuppress"

$maxAttempts = 30
$attempts    = 0
$success     = $false

while (-not $success -and $attempts -lt $maxAttempts) {
    $attempts++
    Write-Log "Installation attempt $attempts of $maxAttempts"

    try {
        $process = Start-Process "msiexec.exe" `
            -ArgumentList $msiArgs `
            -Wait -PassThru -NoNewWindow -ErrorAction Stop

        Write-Log "msiexec exit code: $($process.ExitCode)"

        switch ($process.ExitCode) {
            0    { $success = $true ; Write-Log "Installation succeeded." }
            3010 { $success = $true ; Write-Log "Installation succeeded (reboot required - suppressed)." }
            1618 { Write-Log "Another MSI installation in progress (1618) - retrying in 5 min..." ; Start-Sleep -Seconds 300 }
            1619 { Write-Log "Package could not be opened (1619) - retrying in 5 min..." ; Start-Sleep -Seconds 300 }
            default {
                Write-Log "Unexpected exit code $($process.ExitCode) - retrying in 5 min..."
                Start-Sleep -Seconds 300
            }
        }
    } catch {
        Write-Log "ERROR launching msiexec: $_"
        Start-Sleep -Seconds 300
    }
}

# -------------------------------------------------------
# 3. FINAL STATUS
# -------------------------------------------------------
if ($success) {
    Write-Log "XXXX installed successfully - removing scheduled task."
    Unregister-ScheduledTask -TaskName $TaskName -Confirm:$false -ErrorAction SilentlyContinue

    Write-Log "Cleaning up XXXX_Source folder (full removal)..."
    Remove-Item -Path "$XXXX\*" -Exclude $InstallerName -Confirm:$false -Recurse -ErrorAction Stop
    exit 0
} else {
    Write-Log "FAILED after $maxAttempts attempts - scheduled task remains for next logon retry."
    exit 1
}

L’authentification échoue avec l’erreur « Size of the request headers is too long » sur Android

par | 11 Juin 2026 |

L’erreur “HTTP Error 400. The size of the request headers is too long” est relativement connue et plutôt bien documentée : elle correspond à l’envoi par une application client (par exemple Teams) d’un cookie (token) d’authentification trop long à son serveur Web, en général parce qu’il contient trop de claims par exemple lorsque l’utilisateur est membre de trop de groupes (phénomène dit de « token bloat »).

Il arrive cependant qu’elle survienne lors de l’authentification depuis un appareil spécifique, alors que tous les autres paramètres sont identiques (même compte, accès au même service dans le même tenant…).

On peut alors supposer que le token est corrompu : l’appareil en question conserve un cookie mal formé ou mal actualisé et tente de l’envoyer au serveur, qui rejette alors la demande.

Lorsque ce problème survient sur un téléphone Android, la première solution qui vient à l’esprit est la classique « suppression des données » de l’application qui échoue à se connecter, voire à désinstaller puis réinstaller cette application. Malheureusement cette manipulation peut ne pas fonctionner en raison d’un mécanisme méconnu : c’est en réalité le gestionnaire de comptes Android qui conserve les tokens d’authentification, pas directement les applications.

Il faut donc supprimer le compte dont l’authentification échoue via les paramètres « Comptes» d’Android pour supprimer le token problématique. La procédure varie légèrement d’un modèle de téléphone à un autre, elle ne sera donc pas détaillée ici, mais l’authentification devrait ensuite fonctionner comme au premier jour !

Rundeck – Script Python de gestion des tokens

par | 13 Mai 2026 | ,

Les tokens d’API Rundeck ont tendance à proliférer silencieusement. Un petit script Python suffit à reprendre le contrôle : lister, créer, supprimer — sans dépendance externe.

Rundeck expose une API REST complète, mais naviguer dans l’interface web pour auditer des dizaines de tokens devient vite fastidieux.  Le script manage_rundeck_tokens.py s’appuie directement sur l’API de rundeck pour automatiser la gestion des tokens — idéal dans un pipeline CI/CD ou une tâche cron.

Le script ne nécessite aucune bibliothèque tierce : il utilise uniquement la stdlib Python (urllibargparsejson). L’authentification Kerberos est le seul cas qui requiert gssapi.

Le script couvre les principaux modes d’accès à Rundeck :

 –token API_TOKEN –login USER (mot de passe interactif) –kerberos (SPNEGO)

Le mode --login gère la session via cookie (endpoint /j_security_check). Le mode --kerberos sonde d’abord le serveur pour vérifier la présence du header Negotiate, et affiche un message d’erreur explicite si SPNEGO n’est pas configuré.

Affichage coloré des expirations

Chaque token affiché en terminal est accompagné d’un statut visuel basé sur sa date d’expiration :

EXPIREDToken arrivé à échéance

CRITICAL — 2jExpiration dans moins de 3 jours

WARNING — 5jExpiration dans moins de 7 jours

OK — 42jToken en bonne santé

Rapport par e-mail

La commande list accepte un flag --email qui génère un rapport HTML et l’envoie via un module compagnon (email_report.py). Couplé à une tâche cron, c’est un moyen simple d’être alerté avant l’expiration d’un token critique.

Rundeck API Token Manager

#!/usr/bin/env python3
"""
Rundeck API Token Manager

Manage Rundeck API tokens (list, create, delete) via the Rundeck REST API v54.

USAGE:
    python manage_rundeck_tokens.py --url <URL> <AUTH_METHOD> <COMMAND> [OPTIONS]

AUTHENTICATION METHODS (choose one):
    --token APITOKEN            Use an existing Rundeck API token
    --login USERNAME            Use username/password authentication (password will be prompted)
    --password PASSWORD         Password for --login (optional, will be prompted if omitted)
    --kerberos                  Use current user's Kerberos ticket (requires: pip install gssapi)

COMMANDS:
    list [--user USERNAME]      List all API tokens (optionally filter by user)
    get --id TOKEN_ID           Get details for a specific token by ID
    create --user USERNAME      Create a new API token with roles and optional expiry
        --roles ROLE [ROLE...]  One or more roles (space-separated, required)
        --duration DURATION     Token expiry (e.g., 30d, 12h, 1w; omit for no expiry)
    delete --id TOKEN_ID        Delete a token by its ID

EXAMPLES:

1. List all tokens using an API token:
   python manage_rundeck_tokens.py --url http://rundeck:4440 --token MYAPITOKEN list

2. List all tokens using username/password (password will be prompted):
   python manage_rundeck_tokens.py --url http://rundeck:4440 --login admin list

3. List tokens for a specific user (admin only):
   python manage_rundeck_tokens.py --url http://rundeck:4440 --token MYAPITOKEN list --user alice

4. List tokens and send report by email:
   python manage_rundeck_tokens.py --url http://rundeck:4440 --token MYAPITOKEN list --email

5. Get details for a specific token:
   python manage_rundeck_tokens.py --url http://rundeck:4440 --token MYAPITOKEN get --id abc123def456

6. Create a new token (non-expiring):
   python manage_rundeck_tokens.py --url http://rundeck:4440 --login admin create \
       --user alice --roles admin deploy

7. Create a token that expires in 30 days:
   python manage_rundeck_tokens.py --url http://rundeck:4440 --login admin create \
       --user john --roles developer --duration 30d

8. Create a token with multiple roles and custom password:
   python manage_rundeck_tokens.py --url http://rundeck:4440 --login admin --password secret123 create \
       --user bob --roles admin deploy execute

9. Delete a token:
   python manage_rundeck_tokens.py --url http://rundeck:4440 --token MYAPITOKEN delete \
       --id abc123def456

10. Use Kerberos authentication (requires valid ticket via kinit):
    python manage_rundeck_tokens.py --url http://rundeck:4440 --kerberos list

11. Use environment variable for token (useful in scripts):
    export RUNDECK_TOKEN=MYAPITOKEN
    python manage_rundeck_tokens.py --url http://rundeck:4440 --token $RUNDECK_TOKEN list

OUTPUT:
    - Tokens are displayed with color-coded expiry status:
      * [EXPIRED] in red
      * [N days] in red/yellow (< 7 days) or green (>= 30 days)
    - Token details include: ID, name, user, roles, expiration date, creator
"""

import argparse
import getpass
import json
import sys
import urllib.request
import urllib.error
import urllib.parse
from http.cookiejar import CookieJar
from datetime import datetime, timezone
from typing import Optional

try:
    from email_report import EmailReportSender, generate_rundeck_tokens_report
    HAS_EMAIL = True
except ImportError:
    HAS_EMAIL = False


def login_with_password(base_url: str, username: str, password: str) -> urllib.request.OpenerDirector:
    """
    Authenticate with a Rundeck username/password.
    Returns an opener that carries the session cookie for all subsequent calls.
    """
    cj = CookieJar()
    opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))

    login_url = f"{base_url.rstrip('/')}/j_security_check"
    form_data = urllib.parse.urlencode({
        "j_username": username,
        "j_password": password,
    }).encode()

    req = urllib.request.Request(login_url, data=form_data, method="POST")
    req.add_header("Content-Type", "application/x-www-form-urlencoded")

    try:
        with opener.open(req) as resp:
            # Rundeck redirects to / on success and to /user/error on failure
            final_url = resp.geturl()
            if "error" in final_url or "login" in final_url:
                print("[Auth error] Login failed - check username/password.", file=sys.stderr)
                sys.exit(1)
    except urllib.error.URLError as e:
        print(f"[Connection error] {e.reason}", file=sys.stderr)
        sys.exit(1)

    print(f"Logged in as '{username}'.")
    return opener


def login_with_kerberos(base_url: str) -> urllib.request.OpenerDirector:
    """
    Authenticate using SPNEGO/Kerberos (Negotiate scheme).
    Requires: pip install gssapi  +  a valid Kerberos ticket (kinit).

    Probes the server first; exits with a clear message if SPNEGO is not
    configured on this Rundeck instance.
    """
    try:
        import base64
        import gssapi
    except ImportError:
        print("[Error] Kerberos auth requires gssapi: pip install gssapi", file=sys.stderr)
        sys.exit(1)

    parsed = urllib.parse.urlparse(base_url)
    probe_url = f"{base_url.rstrip('/')}/api/54/system/info"

    # --- Step 1: probe without auth to check for SPNEGO challenge ---
    cj = CookieJar()
    opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
    www_auth = ""
    try:
        probe_req = urllib.request.Request(probe_url, headers={"Accept": "application/json"})
        with opener.open(probe_req):
            return opener  # already authenticated (unlikely)
    except urllib.error.HTTPError as e:
        www_auth = e.headers.get("WWW-Authenticate", "")
        if e.code not in (401, 403):
            body = e.read().decode(errors="replace")
            print(f"[HTTP {e.code}] {e.reason} - {body}", file=sys.stderr)
            sys.exit(1)

    if "Negotiate" not in www_auth:
        got = www_auth or "none"
        print(
            "[Kerberos error] This Rundeck instance does not support SPNEGO/Kerberos.\n"
            f"  No 'WWW-Authenticate: Negotiate' received (got: '{got}').\n"
            "  The server uses form-based auth only. Use --login <username> instead.",
            file=sys.stderr,
        )
        sys.exit(1)

    # --- Step 2: generate GSSAPI token ---
    try:
        service_name = gssapi.Name(
            f"HTTP@{parsed.hostname}",
            name_type=gssapi.NameType.hostbased_service,
        )
        ctx = gssapi.SecurityContext(name=service_name, usage="initiate")
        token = ctx.step()
    except gssapi.exceptions.GSSError as e:
        print(f"[Kerberos error] {e}\nRun: kinit", file=sys.stderr)
        sys.exit(1)

    negotiate_token = base64.b64encode(token).decode()

    # --- Step 3: send authenticated request to obtain session cookie ---
    req_auth = urllib.request.Request(
        probe_url,
        headers={"Authorization": f"Negotiate {negotiate_token}", "Accept": "application/json"},
    )
    try:
        with opener.open(req_auth):
            pass  # cookie jar captures the session cookie
    except urllib.error.HTTPError as e:
        if e.code == 401:
            print("[Auth error] Kerberos: token rejected (401). Run: klist", file=sys.stderr)
        else:
            body = e.read().decode(errors="replace")
            print(f"[HTTP {e.code}] {e.reason} - {body}", file=sys.stderr)
        sys.exit(1)
    except urllib.error.URLError as e:
        print(f"[Connection error] {e.reason}", file=sys.stderr)
        sys.exit(1)

    import os
    print(f"Authenticated via Kerberos (cache: {os.environ.get('KRB5CCNAME', 'default')}).")
    return opener


def make_request(
    base_url: str,
    method: str,
    path: str,
    payload: Optional[dict] = None,
    api_token: Optional[str] = None,
    opener: Optional[urllib.request.OpenerDirector] = None,
    ) -> dict | list | None:
    """
    Perform an API call.
    Exactly one of *api_token* or *opener* (session cookie) must be provided.
    """
    url = f"{base_url.rstrip('/')}{path}"
    headers: dict[str, str] = {
        "Accept": "application/json",
        "Content-Type": "application/json",
    }
    if api_token:
        headers["X-Rundeck-Auth-Token"] = api_token

    data = json.dumps(payload).encode() if payload else None
    req = urllib.request.Request(url, data=data, headers=headers, method=method)

    _opener = opener or urllib.request.build_opener()

    try:
        with _opener.open(req) as resp:
            body = resp.read()
            if body:
                return json.loads(body)
            return None
    except urllib.error.HTTPError as e:
        body = e.read().decode(errors="replace")
        print(f"[HTTP {e.code}] {e.reason} - {body}", file=sys.stderr)
        sys.exit(1)
    except urllib.error.URLError as e:
        print(f"[Connection error] {e.reason}", file=sys.stderr)
        sys.exit(1)


# ---------------------------------------------------------------------------
# Shorthand - forwards auth kwargs to make_request
# ---------------------------------------------------------------------------

def _req(base_url, method, path, payload=None, **auth):
    return make_request(base_url, method, path, payload, **auth)


# ---------------------------------------------------------------------------
# API operations
# ---------------------------------------------------------------------------

def list_tokens(base_url: str, user: Optional[str] = None, **auth) -> list:
    """List all tokens, or only those belonging to *user*."""
    path = "/api/54/tokens"
    if user:
        path += f"/{user}"
    result = _req(base_url, "GET", path, **auth)
    # Rundeck returns {"tokens": [...]} or a bare list depending on version
    if isinstance(result, dict):
        return result.get("tokens", [])
    return result or []


def get_token(base_url: str, token_id: str, **auth) -> dict:
    """Get details for a single token by its ID."""
    return _req(base_url, "GET", f"/api/54/token/{token_id}", **auth)


def create_token(
    base_url: str,
    user: str,
    roles: list[str],
    duration: Optional[str] = None,
    name: Optional[str] = None,
    **auth,
    ) -> dict:
    """
    Create a new token.

    Parameters
    ----------
    user      : Rundeck username the token is associated with.
    roles     : List of role names (e.g. ["admin", "deploy"]).
    duration  : Optional expiry expressed as a Rundeck duration string,
                e.g. "30d", "12h", "1w".  Omit for a never-expiring token.
    name      : Optional custom name for the token.
    """
    payload: dict = {"user": user, "roles": roles}
    if duration:
        payload["duration"] = duration
    if name:
        payload["name"] = name
    return _req(base_url, "POST", "/api/54/tokens", payload, **auth)


def delete_token(base_url: str, token_id: str, **auth) -> None:
    """Delete a token by its ID."""
    _req(base_url, "DELETE", f"/api/54/token/{token_id}", **auth)
    print(f"Token '{token_id}' deleted successfully.")


# ---------------------------------------------------------------------------
# Pretty-printing
# ---------------------------------------------------------------------------

# ANSI colour codes
_RESET  = "\033[0m"
_RED    = "\033[1;31m"
_YELLOW = "\033[1;33m"
_GREEN  = "\033[1;32m"


def _expiry_status(expiration: str) -> tuple[str, str]:
    """Return (label, colour) based on days until expiry."""
    try:
        exp = datetime.fromisoformat(expiration.replace("Z", "+00:00"))
        now = datetime.now(timezone.utc)
        days = (exp - now).days
        if days < 0:
            return "[EXPIRED]", _RED
        elif days < 3:
            return f"[CRITICAL - expires in {days}d]", _RED
        elif days < 7:
            return f"[WARNING  - expires in {days}d]", _YELLOW
        else:
            return f"[OK - expires in {days}d]", _GREEN
    except (ValueError, AttributeError):
        return "", _RESET


def print_token(token: dict) -> None:
    # Determine expiration status for the header
    colour = _RESET
    status_label = ""
    if token.get("expiration"):
        status_label, colour = _expiry_status(token["expiration"])
    elif token.get("expired") is True:
        status_label, colour = "[EXPIRED]", _RED

    print(f"{colour}" + "-" * 60 + f"  {status_label}{_RESET}")
    for key in ("id", "name", "user", "roles", "expiration", "expired", "creator", "token"):
        if key not in token:
            continue
        value = token[key]
        if key == "expiration" and isinstance(value, str) and value:
            value = value[:10]  # Keep only YYYY-MM-DD
        line = f"  {key:<12}: {value}"
        if key in ("expiration", "expired") and colour != _RESET:
            print(f"{colour}{line}{_RESET}")
        else:
            print(line)


# ---------------------------------------------------------------------------
# CLI
# ---------------------------------------------------------------------------

def build_parser() -> argparse.ArgumentParser:
    parser = argparse.ArgumentParser(
        description="Manage Rundeck API tokens (list / create / delete).",
        formatter_class=argparse.RawDescriptionHelpFormatter,
        epilog="""
Authentication - choose one method:
  --token APITOKEN            Use a Rundeck API token
  --login USER [--password P] Use a username/password (password prompted if omitted)
  --kerberos                  Use the current user Kerberos ticket (SPNEGO/Negotiate)

Examples:
  # List all tokens (API token auth)
  python rundeck_tokens.py --url http://rundeck:4440 --token MYAPITOKEN list

  # List tokens (login/password auth, password will be prompted)
  python rundeck_tokens.py --url http://rundeck:4440 --login admin list

  # List tokens for a specific user
  python rundeck_tokens.py --url http://rundeck:4440 --token MYAPITOKEN list --user alice

  # List tokens and send report by email
  python rundeck_tokens.py --url http://rundeck:4440 --token MYAPITOKEN list --email

  # Create a token (expires in 30 days)
  python rundeck_tokens.py --url http://rundeck:4440 --login admin create \\
      --user alice --roles admin deploy --duration 30d

  # Delete a token by ID
  python rundeck_tokens.py --url http://rundeck:4440 --token MYAPITOKEN delete \\
      --id abc123def456
        """,
    )

    parser.add_argument(
        "--url",
        required=True,
        help="Rundeck base URL, e.g. http://rundeck:4440",
    )

    auth_group = parser.add_mutually_exclusive_group(required=True)
    auth_group.add_argument(
        "--token",
        metavar="APITOKEN",
        help="Rundeck API token used to authenticate requests.",
    )
    auth_group.add_argument(
        "--login",
        metavar="USERNAME",
        help="Rundeck username for login/password authentication.",
    )
    auth_group.add_argument(
        "--kerberos",
        action="store_true",
        help="Use the current user Kerberos ticket (SPNEGO). Requires: pip install gssapi",
    )
    parser.add_argument(
        "--password",
        metavar="PASSWORD",
        default=None,
        help="Password for --login auth. If omitted, you will be prompted (recommended).",
    )

    sub = parser.add_subparsers(dest="command", required=True)

    # --- list ---
    p_list = sub.add_parser("list", help="List API tokens.")
    p_list.add_argument(
        "--user",
        default=None,
        help="Filter tokens by username (optional, admin only for other users).",
    )
    p_list.add_argument(
        "--email",
        action="store_true",
        help="Send the token report by email (requires email_report module and SMTP environment variables).",
    )
    p_list.add_argument(
        "--report-path",
        default=None,
        type=str,
        help="Save the HTML report to a file (optional, used with --email).",
    )

    # --- get ---
    p_get = sub.add_parser("get", help="Show details for a single token.")
    p_get.add_argument("--id", required=True, metavar="TOKEN_ID", help="Token ID.")

    # --- create ---
    p_create = sub.add_parser("create", help="Create a new API token.")
    p_create.add_argument("--user", required=True, help="Username to associate with the token.")
    p_create.add_argument(
        "--roles",
        nargs="+",
        required=True,
        metavar="ROLE",
        help="One or more roles to assign (space-separated).",
    )
    p_create.add_argument(
        "--duration",
        default=None,
        help="Expiry duration, e.g. 30d, 12h, 1w.  Omit for no expiry.",
    )
    p_create.add_argument(
        "--name",
        default=None,
        help="Optional custom name for the token.",
    )

    # --- delete ---
    p_delete = sub.add_parser("delete", help="Delete an API token.")
    p_delete.add_argument("--id", required=True, metavar="TOKEN_ID", help="Token ID to delete.")

    return parser


def main() -> None:
    parser = build_parser()
    args = parser.parse_args()

    # --- Build auth kwargs passed to every API call ---
    if args.token:
        auth = {"api_token": args.token}
    elif args.kerberos:
        session_opener = login_with_kerberos(args.url)
        auth = {"opener": session_opener}
    else:
        password = args.password or getpass.getpass(f"Password for '{args.login}': ")
        session_opener = login_with_password(args.url, args.login, password)
        auth = {"opener": session_opener}

    if args.command == "list":
        # For list, the optional --user filter lives on the subcommand
        tokens = list_tokens(args.url, getattr(args, "user", None), **auth)
        if not tokens:
            print("No tokens found.")
        else:
            print(f"Found {len(tokens)} token(s):")
            for t in tokens:
                print_token(t)
            
            # Send email report if requested
            if getattr(args, "email", False):
                if not HAS_EMAIL:
                    print("\n? [Error] Email module not available. Please check that email_report.py is in the same directory.", file=sys.stderr)
                    sys.exit(1)
                
                print("\n?? Generating email report...")
                
                # Generate HTML report
                report_html = generate_rundeck_tokens_report(
                    tokens=tokens,
                    base_url=args.url
                )
                
                # Save to file if requested
                if getattr(args, "report_path", None):
                    try:
                        with open(args.report_path, 'w', encoding='utf-8') as f:
                            f.write(report_html)
                        print(f"? Report saved to: {args.report_path}")
                    except Exception as e:
                        print(f"? Error saving report: {e}", file=sys.stderr)
                        sys.exit(1)
                
                # Send email
                try:
                    sender = EmailReportSender()
                    subject = f"Rundeck API Tokens Report - {datetime.now().strftime('%d/%m/%Y')}"
                    success = sender.send_simple_report(
                        subject=subject,
                        html_body=report_html
                    )
                    if not success:
                        print("[ERROR] Failed to send email", file=sys.stderr)
                        sys.exit(1)
                except Exception as e:
                    print(f"[ERROR] Error sending email: {e}", file=sys.stderr)
                    sys.exit(1)

    elif args.command == "get":
        token = get_token(args.url, args.id, **auth)
        print_token(token)

    elif args.command == "create":
        new_token = create_token(
            args.url, args.user, args.roles, args.duration, args.name, **auth
        )
        print("Token created:")
        print_token(new_token)

    elif args.command == "delete":
        delete_token(args.url, args.id, **auth)


if __name__ == "__main__":
    main()

email_report

#!/usr/bin/env python3
"""
Module d'envoi de rapports par email avec timeout strict
"""

import smtplib
import os
import socket
import threading
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.base import MIMEBase
from email import encoders
from pathlib import Path
from datetime import datetime
from typing import Optional, List


class EmailReportSender:
    """Classe pour envoyer des rapports par email avec HTML et pieces jointes"""
    
    def __init__(self, smtp_server: str = None, smtp_port: int = None,
                 from_email: str = None, to_email: str = None, use_tls: bool = False):
        """Initialise le sender avec la config SMTP"""
        self.smtp_server = smtp_server or os.getenv('SMTP_SERVER', 'localhost')
        self.smtp_port = int(smtp_port or os.getenv('SMTP_PORT', 25))
        self.from_email = from_email or os.getenv('FROM_EMAIL', 'monitoring@example.com')
        self.to_email = to_email or os.getenv('TO_EMAIL', 'admin@example.com')
        self.use_tls = use_tls
    
    def send_simple_report(self, subject: str, html_body: str, text_body: Optional[str] = None,
                          attachments: Optional[List[str]] = None, cc: Optional[str] = None,
                          bcc: Optional[str] = None) -> bool:
        """Envoie un email simple avec rapport HTML"""
        try:
            msg = MIMEMultipart('alternative')
            msg['Subject'] = subject
            msg['From'] = self.from_email
            msg['To'] = self.to_email
            
            if cc:
                msg['Cc'] = cc
            if bcc:
                msg['Bcc'] = bcc
            
            if text_body:
                msg.attach(MIMEText(text_body, 'plain', 'utf-8'))
            else:
                text_fallback = self._html_to_text(html_body)
                msg.attach(MIMEText(text_fallback, 'plain', 'utf-8'))
            
            msg.attach(MIMEText(html_body, 'html', 'utf-8'))
            
            if attachments:
                for attachment_path in attachments:
                    if Path(attachment_path).exists():
                        self._attach_file(msg, attachment_path)
            
            recipients = [self.to_email]
            if cc:
                recipients.extend([e.strip() for e in cc.split(',')])
            if bcc:
                recipients.extend([e.strip() for e in bcc.split(',')])
            
            msg_string = msg.as_string()
            return self._send_with_timeout(recipients, msg_string, timeout=5)
            
        except Exception as e:
            print(f"[ERROR] Error preparing email: {e}")
            return False
    
    def _send_with_timeout(self, recipients, msg_string, timeout=5):
        """Envoie email dans un thread avec timeout strict"""
        result = {'sent': False, 'error': None}
        
        def send_thread():
            try:
                print(f"   [INFO] Checking socket on {self.smtp_server}:{self.smtp_port}...")
                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                sock.settimeout(timeout)
                sock.connect((self.smtp_server, self.smtp_port))
                sock.close()
                
                with smtplib.SMTP(self.smtp_server, self.smtp_port, timeout=timeout) as server:
                    if self.use_tls:
                        server.starttls()
                    server.sendmail(self.from_email, recipients, msg_string)
                result['sent'] = True
            except socket.timeout:
                result['error'] = f"Timeout: {self.smtp_server}:{self.smtp_port} no response in {timeout}s"
            except socket.gaierror:
                result['error'] = f"Host not found: {self.smtp_server}"
            except ConnectionRefusedError:
                result['error'] = f"Connection refused: {self.smtp_server}:{self.smtp_port}"
            except socket.error as e:
                result['error'] = f"Socket error: {e}"
            except smtplib.SMTPException as e:
                result['error'] = f"SMTP error: {e}"
            except Exception as e:
                result['error'] = f"Error: {type(e).__name__}: {e}"
        
        thread = threading.Thread(target=send_thread, daemon=True)
        thread.start()
        thread.join(timeout=timeout + 2)
        
        if thread.is_alive():
            print(f"[ERROR] Timeout after {timeout + 2}s - server not responding")
            return False
        
        if result['sent']:
            print(f"[SUCCESS] Email sent successfully")
            return True
        else:
            print(f"[ERROR] {result['error']}")
            return False
    
    @staticmethod
    def _attach_file(msg, file_path: str):
        """Attach file to message"""
        part = MIMEBase('application', 'octet-stream')
        with open(file_path, 'rb') as attachment:
            part.set_payload(attachment.read())
        encoders.encode_base64(part)
        part.add_header('Content-Disposition', f'attachment; filename={Path(file_path).name}')
        msg.attach(part)
    
    @staticmethod
    def _html_to_text(html):
        """Convert HTML to text"""
        import re
        text = re.sub('<[^<]+?>', '', html)
        text = re.sub(r'\n\s*\n', '\n\n', text)
        return text.strip()


def _get_expiry_status_for_html(expiration_str):
    """Return (label, color_hex) based on days until expiry - matching CLI behavior"""
    try:
        from datetime import timezone
        exp = datetime.fromisoformat(expiration_str.replace("Z", "+00:00"))
        # Handle naive datetime (simple date without timezone info)
        if exp.tzinfo is None:
            exp = exp.replace(tzinfo=timezone.utc)
        now = datetime.now(timezone.utc)
        days = (exp - now).days
        if days < 0:
            return "[EXPIRED]", "#d32f2f"
        elif days < 3:
            return f"[CRITICAL – expires in {days}d]", "#d32f2f"
        elif days < 7:
            return f"[WARNING – expires in {days}d]", "#f57c00"
        else:
            return f"[OK – expires in {days}d]", "#388e3c"
    except (ValueError, AttributeError, TypeError):
        return "", "#000000"


def generate_rundeck_tokens_report(tokens, base_url="", timestamp=None):
    """Generate HTML report for Rundeck tokens matching CLI display"""
    if not timestamp:
        timestamp = datetime.now().strftime("%d/%m/%Y %H:%M:%S")
    
    total = len(tokens)
    expired = sum(1 for t in tokens if t.get('expired'))
    active = total - expired
    
    html = f"""<html>
<head>
    <meta charset="UTF-8">
    <style>
        body {{ font-family: Courier New, monospace; margin: 20px; background-color: #f5f5f5; }}
        h1 {{ color: #0066cc; font-size: 18px; font-weight: bold; }}
        h2 {{ color: #333; font-size: 14px; font-weight: bold; margin-top: 20px; }}
        .summary {{ margin: 15px 0; }}
        .summary-item {{ margin: 5px 0; }}
        .token-container {{ margin: 15px 0; background-color: white; border: 1px solid #ddd; border-radius: 4px; }}
        .token-header {{ background-color: #f0f0f0; padding: 10px; border-bottom: 1px solid #ddd; font-weight: bold; }}
        .token-content {{ padding: 10px; }}
        .token-field {{ margin: 5px 0; }}
        .token-label {{ display: inline-block; width: 120px; font-weight: bold; }}
        .token-value {{ display: inline-block; word-break: break-all; }}
        .separator {{ border-top: 1px solid #ccc; margin: 10px 0; }}
    </style>
</head>
<body>
<h1>Rundeck API Tokens Report</h1>
<p><strong>Date:</strong> {timestamp}</p>
<p><strong>Server:</strong> {base_url}</p>

<h2>Summary</h2>
<div class="summary">
    <div class="summary-item"><strong>Total tokens:</strong> {total}</div>
    <div class="summary-item"><strong>Active:</strong> {active}</div>
    <div class="summary-item"><strong>Expired:</strong> {expired}</div>
</div>

<h2>Details</h2>
"""
    
    for idx, token in enumerate(tokens, 1):
        status_label = ""
        status_color = "#000000"
        
        if token.get("expiration"):
            status_label, status_color = _get_expiry_status_for_html(token["expiration"])
        elif token.get("expired") is True:
            status_label, status_color = "[EXPIRED]", "#d32f2f"
        
        html += f"""<div class="token-container">
    <div class="token-header" style="color: {status_color};">
        Token #{idx} – {status_label}
    </div>
    <div class="token-content">
"""
        
        token_fields = ["id", "name", "user", "roles", "expiration", "expired", "creator", "token"]
        for field in token_fields:
            if field not in token:
                continue
            
            value = token[field]
            
            if field == "expiration" and isinstance(value, str) and value:
                value = value[:10]
            elif field == "roles" and isinstance(value, list):
                value = ", ".join(value)
            
            style = ""
            if field in ("expiration", "expired") and status_color != "#000000":
                style = f" style='color: {status_color}; font-weight: bold;'"
            
            html += f"""        <div class="token-field"{style}>
            <span class="token-label">{field:12s}:</span> <span class="token-value">{value}</span>
        </div>
"""
        
        html += """    </div>
    <div class="separator"></div>
</div>
"""
    
    html += """</body>
</html>"""
    
    return html

Derniers articles

Catégories

Archives

Auteurs/Autrices