- set_fact :
become_test_username : ansible_become_test
become_test_admin_username : ansible_become_admin
gen_pw : password123! + {{ lookup('password', '/dev/null chars=ascii_letters,digits length=8') }}
- name : create unprivileged user
win_user :
name : "{{ become_test_username }}"
password : "{{ gen_pw }}"
update_password : always
groups : Users
register : user_limited_result
- name : create a privileged user
win_user :
name : "{{ become_test_admin_username }}"
password : "{{ gen_pw }}"
update_password : always
groups : Administrators
register : user_admin_result
- name : add requisite logon rights for test user
win_user_right :
name : '{{item}}'
users : '{{become_test_username}}'
action : add
with_items :
- SeNetworkLogonRight
- SeInteractiveLogonRight
- SeBatchLogonRight
- name : execute tests and ensure that test user is deleted regardless of success/failure
block :
- name : ensure current user is not the become user
win_whoami :
register : whoami_out
failed_when : whoami_out.account.sid == user_limited_result.sid or whoami_out.account.sid == user_admin_result.sid
- name : get become user profile dir so we can clean it up later
vars : &become_vars
ansible_become_user : "{{ become_test_username }}"
ansible_become_password : "{{ gen_pw }}"
ansible_become_method : runas
ansible_become : yes
win_shell : $env:USERPROFILE
register : profile_dir_out
- name : ensure profile dir contains test username (eg, if become fails silently, prevent deletion of real user profile)
assert :
that :
- become_test_username in profile_dir_out.stdout_lines[0]
- name : get become admin user profile dir so we can clean it up later
vars : &admin_become_vars
ansible_become_user : "{{ become_test_admin_username }}"
ansible_become_password : "{{ gen_pw }}"
ansible_become_method : runas
ansible_become : yes
win_shell : $env:USERPROFILE
register : admin_profile_dir_out
- name : ensure profile dir contains admin test username
assert :
that :
- become_test_admin_username in admin_profile_dir_out.stdout_lines[0]
- name : test become runas via task vars (underprivileged user)
vars : *become_vars
win_whoami :
register : whoami_out
- name : verify output
assert :
that :
- whoami_out.account.sid == user_limited_result.sid
- whoami_out.account.account_name == become_test_username
- whoami_out.label.account_name == 'Medium Mandatory Level'
- whoami_out.label.sid == 'S-1-16-8192'
- whoami_out.logon_type == 'Interactive'
- name : test become runas via task vars (privileged user)
vars : *admin_become_vars
win_whoami :
register : whoami_out
- name : verify output
assert :
that :
- whoami_out.account.sid == user_admin_result.sid
- whoami_out.account.account_name == become_test_admin_username
- whoami_out.label.account_name == 'High Mandatory Level'
- whoami_out.label.sid == 'S-1-16-12288'
- whoami_out.logon_type == 'Interactive'
- name : test become runas via task keywords
vars :
ansible_become_password : "{{ gen_pw }}"
become : yes
become_method : runas
become_user : "{{ become_test_username }}"
win_shell : whoami
register : whoami_out
- name : verify output
assert :
that :
- whoami_out.stdout_lines[0].endswith(become_test_username)
- name : test become via block vars
vars : *become_vars
block :
- name : ask who the current user is
win_whoami :
register : whoami_out
- name : verify output
assert :
that :
- whoami_out.account.sid == user_limited_result.sid
- whoami_out.account.account_name == become_test_username
- whoami_out.label.account_name == 'Medium Mandatory Level'
- whoami_out.label.sid == 'S-1-16-8192'
- whoami_out.logon_type == 'Interactive'
- name : test with module that will return non-zero exit code (https://github.com/ansible/ansible/issues/30468)
vars : *become_vars
setup :
- name : test become with SYSTEM account
win_whoami :
become : yes
become_method : runas
become_user : SYSTEM
register : whoami_out
- name : verify output
assert :
that :
- whoami_out.account.sid == "S-1-5-18"
- whoami_out.account.account_name == "SYSTEM"
- whoami_out.account.domain_name == "NT AUTHORITY"
- whoami_out.label.account_name == 'System Mandatory Level'
- whoami_out.label.sid == 'S-1-16-16384'
- whoami_out.logon_type == 'System'
- name : test become with NetworkService account
win_whoami :
become : yes
become_method : runas
become_user : NetworkService
register : whoami_out
- name : verify output
assert :
that :
- whoami_out.account.sid == "S-1-5-20"
- whoami_out.account.account_name == "NETWORK SERVICE"
- whoami_out.account.domain_name == "NT AUTHORITY"
- whoami_out.label.account_name == 'System Mandatory Level'
- whoami_out.label.sid == 'S-1-16-16384'
- whoami_out.logon_type == 'Service'
- name : test become with LocalService account
win_whoami :
become : yes
become_method : runas
become_user : LocalService
register : whoami_out
- name : verify output
assert :
that :
- whoami_out.account.sid == "S-1-5-19"
- whoami_out.account.account_name == "LOCAL SERVICE"
- whoami_out.account.domain_name == "NT AUTHORITY"
- whoami_out.label.account_name == 'System Mandatory Level'
- whoami_out.label.sid == 'S-1-16-16384'
- whoami_out.logon_type == 'Service'
# Test out Async on Windows Server 2012+
- name : get OS version
win_shell : |
$version = [System.Environment]::OSVersion.Version
if ($version -ge [Version]"6.2") {
"async"
} elseif ($version -lt [Version]"6.1") {
"old-gramps"
} else {
""
}
register : os_version
- name : test become + async on older hosts
vars : *become_vars
win_command : whoami
async : 10
register : whoami_out
ignore_errors : yes
- name : verify older hosts failed with become + async
assert :
that :
- whoami_out is failed
when : os_version.stdout_lines[0] != "async"
- name : verify newer hosts worked with become + async
assert :
that :
- whoami_out is successful
when : os_version.stdout_lines[0] == "async"
- name : test failure with string become invalid key
vars : *become_vars
win_whoami :
become_flags : logon_type=batch invalid_flags=a
become_method : runas
register : failed_flags_invalid_key
failed_when : failed_flags_invalid_key.msg != "become_flags key 'invalid_flags' is not a valid runas flag, must be 'logon_type' or 'logon_flags'"
- name : test failure with invalid logon_type
vars : *become_vars
win_whoami :
become_flags : logon_type=invalid
register : failed_flags_invalid_type
failed_when : "failed_flags_invalid_type.msg != \"become_flags logon_type value 'invalid' is not valid, valid values are: interactive, network, batch, service, unlock, network_cleartext, new_credentials\""
- name : test failure with invalid logon_flag
vars : *become_vars
win_whoami :
become_flags : logon_flags=with_profile,invalid
register : failed_flags_invalid_flag
failed_when : "failed_flags_invalid_flag.msg != \"become_flags logon_flags value 'invalid' is not valid, valid values are: with_profile, netcredentials_only\""
# Server 2008 doesn't work with network and network_cleartext, there isn't really a reason why you would want this anyway
- name : become different types
vars : *become_vars
win_whoami :
become_flags : logon_type={{item.type}}
register : become_logon_type
when : not ((item.type == 'network' or item.type == 'network_cleartext') and os_version.stdout_lines[0] == "old-gramps")
failed_when : become_logon_type.logon_type != item.actual and become_logon_type.sid != user_limited_result.sid
with_items :
- type : interactive
actual : Interactive
- type : batch
actual : Batch
- type : network
actual : Network
- type : network_cleartext
actual : NetworkCleartext
- name : become netcredentials with network user
vars :
ansible_become_user : fakeuser
ansible_become_password : fakepassword
ansible_become_method : runas
ansible_become : True
ansible_become_flags : logon_type=new_credentials logon_flags=netcredentials_only
win_whoami :
register : become_netcredentials
- name : assert become netcredentials with network user
assert :
that :
# new_credentials still come up as the ansible_user so we can't test that
- become_netcredentials.label.account_name == 'High Mandatory Level'
- become_netcredentials.label.sid == 'S-1-16-12288'
# FUTURE: test raw + script become behavior once they're running under the exec wrapper again
# FUTURE: add standalone playbook tests to include password prompting and play become keywords
always :
- name : remove explicit logon rights for test user
win_user_right :
name : '{{item}}'
users : '{{become_test_username}}'
action : remove
with_items :
- SeNetworkLogonRight
- SeInteractiveLogonRight
- SeBatchLogonRight
- name : ensure underprivileged test user is deleted
win_user :
name : "{{ become_test_username }}"
state : absent
- name : ensure privileged test user is deleted
win_user :
name : "{{ become_test_admin_username }}"
state : absent
- name : ensure underprivileged test user profile is deleted
# NB: have to work around powershell limitation of long filenames until win_file fixes it
win_shell : rmdir /S /Q {{ profile_dir_out.stdout_lines[0] }}
args :
executable : cmd.exe
when : become_test_username in profile_dir_out.stdout_lines[0]
- name : ensure privileged test user profile is deleted
# NB: have to work around powershell limitation of long filenames until win_file fixes it
win_shell : rmdir /S /Q {{ admin_profile_dir_out.stdout_lines[0] }}
args :
executable : cmd.exe
when : become_test_admin_username in admin_profile_dir_out.stdout_lines[0]
