RE: Question about Salt_Bytes

@steviecoaster said in Question about Salt_Bytes:

Sweet mother Mary, I got it! It was the content type. I was using application/json and it wanted application/x-ww-form-urlencoded

This code works properly to set the password for a user:

function Set-ProGetUserPassword {
    [Cmdletbinding()]
    Param(
        [Parameter(Mandatory)]
        [String]
        $Username,

        [Parameter(Mandatory)]
        [SecureString]
        $OldPassword,

        [Parameter(Mandatory)]
        [SecureString]
        $NewPassword
    )

    begin {
        $confirm = Read-Host "Please re-enter your new password" -AsSecureString

        $identical = Compare-SecureString -SecureString1 $NewPassword -SecureString2 $confirm

        if (-not $identical) {
            Write-Error 'Passwords do not match!'
            break
        }
    }

    end {

        $unmanagedString = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($NewPassword)
        $plainTextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($unmanagedString)
        [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($unmanagedString) # Clean up
        $iterations = 10000
        $saltLength = 10
        $hashLength = 20

        $rfc2898 = [System.Security.Cryptography.Rfc2898DeriveBytes]::new($plainTextPassword, $saltLength, $iterations)
        $passwordBytes = $rfc2898.GetBytes($hashLength)
        $saltBytes = $rfc2898.Salt

        $base64Password = [System.Convert]::ToBase64String($passwordBytes)
        $base64Salt = [System.Convert]::ToBase64String($saltBytes)

        $body = @{
            User_Name = $Username
            Password_Bytes = $base64Password
            Salt_Bytes = $base64Salt
        }

        Write-Verbose $body

        $Params = @{
            Slug     = '/api/json/Users_SetPassword'
            Method   = 'POST'
            Body = $body
            ContentType = 'application/x-www-form-urlencoded'
        }

        Invoke-ProGet @Params
    }
}

Spoke to soon. This code functions and doesn't produce an error. However, the user cannot login with the credential set. More playing to do!

Sweet mother Mary, I got it! It was the content type. I was using application/json and it wanted application/x-ww-form-urlencoded

This code works properly to set the password for a user:

function Set-ProGetUserPassword {
    [Cmdletbinding()]
    Param(
        [Parameter(Mandatory)]
        [String]
        $Username,

        [Parameter(Mandatory)]
        [SecureString]
        $OldPassword,

        [Parameter(Mandatory)]
        [SecureString]
        $NewPassword
    )

    begin {
        $confirm = Read-Host "Please re-enter your new password" -AsSecureString

        $identical = Compare-SecureString -SecureString1 $NewPassword -SecureString2 $confirm

        if (-not $identical) {
            Write-Error 'Passwords do not match!'
            break
        }
    }

    end {

        $unmanagedString = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($NewPassword)
        $plainTextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($unmanagedString)
        [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($unmanagedString) # Clean up
        $iterations = 10000
        $saltLength = 10
        $hashLength = 20

        $rfc2898 = [System.Security.Cryptography.Rfc2898DeriveBytes]::new($plainTextPassword, $saltLength, $iterations)
        $passwordBytes = $rfc2898.GetBytes($hashLength)
        $saltBytes = $rfc2898.Salt

        $base64Password = [System.Convert]::ToBase64String($passwordBytes)
        $base64Salt = [System.Convert]::ToBase64String($saltBytes)

        $body = @{
            User_Name = $Username
            Password_Bytes = $base64Password
            Salt_Bytes = $base64Salt
        }

        Write-Verbose $body

        $Params = @{
            Slug     = '/api/json/Users_SetPassword'
            Method   = 'POST'
            Body = $body
            ContentType = 'application/x-www-form-urlencoded'
        }

        Invoke-ProGet @Params
    }
}

In my playing around yesterday, I did try to convert that to base64 and it still produced the same error. I'm very perplexed! For my use case I really need this functionality so I'm hopeful I can find a solution.

Here's what I'm using currently, but it's complaining about Salt_Bytes. I'm fairly certain this is a PowerShell problem, but more eyes on it never hurt.

function Set-ProGetUserPassword {
    [Cmdletbinding()]
    Param(
        [Parameter(Mandatory)]
        [String]
        $Username,

        [Parameter(Mandatory)]
        [SecureString]
        $OldPassword,

        [Parameter(Mandatory)]
        [SecureString]
        $NewPassword
    )

    begin {
        $confirm = Read-Host "Please re-enter your new password" -AsSecureString

        $identical = Compare-SecureString -SecureString1 $NewPassword -SecureString2 $confirm

        if(-not $identical){
            Write-Error 'Passwords do not match!'
            break
        }
    }

    end {

        $unmanagedString = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($NewPassword)
        $plainTextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($unmanagedString)
        [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($unmanagedString) # Clean up
        $iterations = 10000
        $saltLength = 10
        $hashLength = 20

        $rfc2898 = [System.Security.Cryptography.Rfc2898DeriveBytes]::new($plainTextPassword, $saltLength, $iterations)
        $passwordBytes = $rfc2898.GetBytes($hashLength)
        $saltBytes = $rfc2898.Salt

        $base64Password = [System.Convert]::ToBase64String($passwordBytes)

        $body = @{
            User_Name = $UserName
            Password_Bytes = $base64Password
            Salt_Bytes = $saltBytes
        }

        Write-Verbose ($body | ConvertTo-Json)

        $Params = @{
            Slug = '/api/json/Users_SetPassword'
            Method = 'POST'
            Body = $body
        }

        Invoke-ProGet @Params
    }
}

Re: Reset ProGet Admin Password via API

I've got code using the Native API which creates a user account and works wonders. But as I'm doing this programmatically I need to also generate a random password for the account, and set it. Seems pretty straightforward to do....but I'm unsure about what to do with the Salt_Bytes parameter available on the API. Any pointers would be outstanding.

Are we sure this is a ProGet problem and not a Docker problem? Assuming the asset is outside the container and you're trying to upload it into ProGet inside the container, you may be hitting a setting inside Docker.

@dean-houston thanks for that info! I think that'll do nicely. I'll have to play around with it to be sure, but from what I can tell it looks straightforward to implement. Thank you!

@dean-houston said in API ability to control Feed Access:

I believe it's possible to configure security with the Native API, but obviously not as easy. So I would explore that, it's probably close to what you wnat.

Do you have documentation/guidance on that? Whilst I'm a fan of DevTools in a browser and bending things to my will, I'd much more a fan of using documented non-hacky processes, particularly when I'm going to be potentially work in a customer environment.

This conversation may be best served taken off the forum and into more direct communications. There's a method to my madness here, and it doesn't really have any reason to be hashed out here publicly.

I'm looking to automate the setup and configuration of ProGet as much as I can. I've found the API to be really good so far, and Ive been able to automate 90% of the things that I require (I build a lot of repository instances). One thing that is super important to me is configuring Read-Only access to the feed to a particular user account, and configuring a Chocolatey client to use that credential to authenticate to the source.

There doesn't seem to be an API endpoint exposed to be able to configure local accounts programmatically. I know it's a non-trivial ask, but, could we get one?

I'm not sure the rules on posting links to gists, so if this breaks one, delete it. However, once I got my feet under me with setting ups HTTPS I went ahead and wrote some code so I can automate it. It assumes a few things, and could be improved but for my use case it is flexible where it needs to be. Enjoy!

https://gist.github.com/steviecoaster/0a2c0d4b09988dedf8e1df1844ec6b8a

HAZZAH! I got it!

The problem was in C:\ProgramData\Inedo\SharedConfig\ProGet.config

CertFile=""C:\proget_cert\cert.pfx""

Should be:

CertFile="C:\proget_cert\cert.pfx"

Pretty sure it's because I used "Copy as Path" and used the resulting string verbatim, which url ended my string, which wrote literally to the config file. Chaulk this one up to a Friday, but for folks landing here later with maybe the same thing: Don't put the path to your cert file in quotes.

I found some time to dig into this again this morning. I've switched to attempting to use my PFX file directly. It is still not functioning over SSL but the error in the browser has changed! I guess that's progress :)

For completeness here is what I've got in the settings:

It looks like some new info in the Event Logs has appeared, but without a debugger is not very useful to me:

Again, happy to provide any further info you may need.

Oh, it would be helpful of me to tell you that I'm running ProGet 2024.11 (Build 10)

Hey all,

Following https://docs.inedo.com/docs/installation/installing-on-iis/installation-windows-https-support to setup my instance to use SSL and it just....doesn't work.

I'm using a Let's Encrypt certificate installed in the LocalMachine\My (Personal) store. This certificate is valid, and in use by other working services on this server.

I don't see any issues within the web interface of proget:

Despite this, it seems I cannot reach the instance via https:

There is something in the logs though. Looks like the proget service running as Network Service doesn't have permission to the private key of my cert:

A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.
 The SSPI client process is ProGet.Service (PID: 8016).

I'm going to attempt to set it up with one of the other methods and see if I get it working that way, but any guidance on what seems the "easiest" way, would be helpful :)

If you're using Chocolatey at a version lower than 2.0.0 then there was only NuGet v2 support. Since 2.0.0 we've added support for NuGet v3. We also send chocolatey cli in the headers of the request, so you would be able to monitor the traffic and determin which traffic is originating from that tool.

But as others mentioned, you wouldn't be able to determine much from the ProGet side.

Hi, me again. So, I'm a bit "stuck", and I'm sure it's silly but I can't find a good answer. I've got a Chocolatey Package that is downloading the latest offline ProGet installer, extracting it and attempting to install it silently.

I've had to do a bit of "magic" as the offline installer appears to not include hub.exe, so I've monkey-patched that in and I'm getting the following when actually invoking an install:

A fatal error was encountered. The library 'hostpolicy.dll' required to execute the application was not found in 'C:\Program Files\dotnet\'.
Failed to run as a self-contained app.
  - The application was run as a self-contained app because 'C:\ProgramData\chocolatey\lib\proget\tools\InedoTemp\hub.runtimeconfig.json' did not specify a framework.
  - If this should be a framework-dependent app, specify the appropriate framework in 'C:\ProgramData\chocolatey\lib\proget\tools\InedoTemp\hub.runtimeconfig.json'.
ERROR:
Running ['C:\ProgramData\chocolatey\lib\proget\tools\InedoTemp\hub.exe' install Proget:2024.9.0 --ConnectionString='Data Source=localhost\SQLEXPRESS; Integrated Security=True;' --TargetDirectory='C:\Program Files\ProGet' --UseIIS=true UseIntegratedWebServer=false] was not successful.
 Exit code was '-2147450749' See log for possible error messages..
The install of proget was NOT successful.
Error while running 'C:\ProgramData\chocolatey\lib\proget\tools\chocolateyInstall.ps1'.
 See log for details.

For completeness here is the chocolateyInstall.ps1 file I'm using. I appreciate there's some helper functions from Choco and one I wrote for getting the latest installer bits, but should be self-explanatory:

$ErrorActionPreference = 'Stop'
$toolsDir = Split-Path -Parent $MyInvocation.MyCommand.Definition
$helpers = Join-Path $toolsDir -ChildPath 'helpers.ps1'
$unzipPath = New-Item (Join-Path $toolsDir -ChildPath 'InedoTemp') -ItemType Directory
$hub = Join-Path $toolsDir -ChildPath 'hub.zip'

$pp = Get-PackageParameters

#Load helpers
. $helpers

# Download Offline Installer
$ProGet = Get-ProGetInstaller
$ProGetInstaller = Join-Path $toolsDir -ChildPath (Split-Path -Leaf $ProGet.Downloads)

$webFileArgs = @{
    Packagename  = $env:ChocolateyPackageName
    FileFullPath = $ProGetInstaller
    Url          = $ProGet.Downloads
    Checksum     = '03CD312905CF735DE36B303FF28C63880B1B7AFD4A458D69280EAB88F546BD29'
    checksumType = 'SHA256'
}

Get-ChocolateyWebFile @webFileArgs

# Extract Offline Installer
$unzipArgs = @{
    Packagename  = $env:ChocolateyPackageName
    FileFullPath = $ProGetInstaller
    Destination  = $unzipPath
}

Get-ChocolateyUnzip @unzipArgs

#Copy Hub.exe to extracted directory
$unzipArgs = @{
    Packagename  = $env:ChocolateyPackageName
    FileFullPath = $hub
    Destination  = $unzipPath
}

Get-ChocolateyUnzip @unzipArgs

#Install the sumbitch

#Set the connectionString
$ConnectionString = if ($pp['ConnectionString']) {
    $pp['ConnectionString']
}
else {
    'Data Source=localhost\SQLEXPRESS; Integrated Security=True;'
}

#Set the TargetDir
$ProGetDestination = if ($pp['InstallDir']) {
    $pp['InstallDir']
}
else {
    if (-not (Test-Path (Join-path $env:ProgramFiles -ChildPath 'ProGet'))) {
        $null = New-Item (Join-path $env:ProgramFiles -ChildPath 'ProGet') -ItemType Directory 
    } else {
        Join-Path $env:ProgramFiles -ChildPath 'ProGet'
    }
}

$hubExe = Join-Path $unzipPath -ChildPath 'hub.exe'

$installArgs = @{
    Statements     = @('install', "Proget:$($env:ChocolateyPackageVersion)", "--ConnectionString='$ConnectionString'", "--TargetDirectory='$ProgetDestination'",'--UseIIS=true','UseIntegratedWebServer=false')
    ExeToRun       = $hubExe
    validExitCodes = @(0)
}

Start-ChocolateyProcessAsAdmin @installArgs

#Secure with SSL?

Any pointers here would be superbly appreciated.

Ha, It was a goofy issue. I wasn't paying attention and had the Body defined as a string in my proxy function.

This is working nicely now!

And that is the part that wasn't clicking for me. I missed it was a self-extracting .exe Awesome, I can use Install-ChocolateyZipPackage as a base, and then go from there. Perfect!

I'm attempting to generate a Chocolatey package, which I can host on the Chocolatey Community Repository to install ProGet. I've found the OfflineInstaller downloads at https://my.inedo.com/downloads/installers?Product=ProGet and the documentation for silent installation at https://docs.inedo.com/docs/installation-windows-silent however this is all very confusing/conflicting with https://docs.inedo.com/docs/desktophub-offline, specifically this:

I can't find the clear path to be able to silently control the installation of ProGet through the use of Chocolatey. I am just....thoroughly confused at the minute :D

The documentation at https://docs.inedo.com/docs/proget-api-feeds-create suggests I can use pgutil feeds create to create a new feed, however it seems the latest release available on Github does not have that option available, and using the API with PowerShell throws a type error as the endpoint is expecting a very specific type of payload, and a PowerShell hashtable (which is the most common way to interact with a JSON body-based api) doesn't work.

Is there a specific version of pgutil.exe I should be using to create new feeds?