win_acl - fix support for registry paths (#54427)

lib/ansible/modules/windows/win_acl.ps1

@@ -90,6 +90,18 @@ $state = Get-AnsibleParam -obj $params -name "state" -type "str" -default "prese
 $inherit = Get-AnsibleParam -obj $params -name "inherit" -type "str"
 $propagation = Get-AnsibleParam -obj $params -name "propagation" -type "str" -default "None" -validateset "InheritOnly","None","NoPropagateInherit"
 
+# We mount the HKCR, HKU, and HKCC registry hives so PS can access them
+$path_qualifier = Split-Path -Path $path -Qualifier
+if ($path_qualifier -eq "HKCR:" -and (-not (Test-Path -LiteralPath HKCR:\))) {
+    New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT > $null
+}
+if ($path_qualifier -eq "HKU:" -and (-not (Test-Path -LiteralPath HKU:\))) {
+    New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS > $null
+}
+if ($path_qualifier -eq "HKCC:" -and (-not (Test-Path -LiteralPath HKCC:\))) {
+    New-PSDrive -Name HKCC -PSProvider Registry -Root HKEY_CURRENT_CONFIG > $null
+}
+
 If (-Not (Test-Path -LiteralPath $path)) {
     Fail-Json -obj $result -message "$path file or directory does not exist on the host"
 }
@@ -107,9 +119,14 @@ ElseIf ($null -eq $inherit) {
     $inherit = "ContainerInherit, ObjectInherit"
 }
 
+# Bug in Set-Acl, Get-Acl where -LiteralPath only works for the Registry provider if the location is in that root
+# qualifier.
+Push-Location -LiteralPath $path_qualifier
+
 Try {
     SetPrivilegeTokens
-    If ($path -match "^HK(CC|CR|CU|LM|U):\\") {
+    $path_item = Get-Item -LiteralPath $path -Force
+    If ($path_item.PSProvider.Name -eq "Registry") {
         $colRights = [System.Security.AccessControl.RegistryRights]$rights
     }
     Else {
@@ -127,7 +144,7 @@ Try {
     }
 
     $objUser = New-Object System.Security.Principal.SecurityIdentifier($sid)
-    If ($path -match "^HK(CC|CR|CU|LM|U):\\") {
+    If ($path_item.PSProvider.Name -eq "Registry") {
         $objACE = New-Object System.Security.AccessControl.RegistryAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
     }
     Else {
@@ -152,7 +169,7 @@ Try {
             $ruleIdentity = $rule.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])
         }
 
-        If ($path -match "^HK(CC|CR|CU|LM|U):\\") {
+        If ($path_item.PSProvider.Name -eq "Registry") {
             If (($rule.RegistryRights -eq $objACE.RegistryRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
                 $match = $true
                 Break
@@ -197,7 +214,13 @@ Try {
     }
 }
 Catch {
+    $result.exception = ($_ | Out-String)
+    $result.test = ($pwd.Path)
     Fail-Json -obj $result -message "an error occurred when attempting to $state $rights permission(s) on $path for $user - $($_.Exception.Message)"
 }
+Finally {
+    # Make sure we revert the location stack to the original path just for cleanups sake
+    Pop-Location
+}
 
 Exit-Json -obj $result

test/integration/targets/win_acl/defaults/main.yml

@@ -1,2 +1,4 @@
 ---
 test_acl_path: '{{ win_output_dir }}\win_acl .ÅÑŚÌβŁÈ [$!@^&test(;)]'
+# Use HKU as that path is not automatically loaded in the PSProvider making our test more complex
+test_acl_reg_path: HKU:\.DEFAULT\Ansible Test .ÅÑŚÌβŁÈ [$!@^&test(;)]

test/integration/targets/win_acl/tasks/main.yml

@@ -7,6 +7,15 @@
   - absent
   - directory
 
+- name: ensure we start with a clean reg path
+  win_regedit:
+    path: '{{ test_acl_reg_path }}'
+    delete_key: yes
+    state: '{{ item }}'
+  with_items:
+  - absent
+  - present
+
 - block:
   - name: run tests
     include_tasks: tests.yml
@@ -16,3 +25,9 @@
     win_file:
       path: '{{ test_acl_path }}'
       state: absent
+
+  - name: cleanup testing reg path
+    win_regedit:
+      path: '{{ test_acl_reg_path }}'
+      delete_key: yes
+      state: absent

test/integration/targets/win_acl/tasks/tests.yml

@@ -3,15 +3,24 @@
 - name: get register cmd that will get ace info
   set_fact:
     test_ace_cmd: |
+      # Overcome bug in Set-Acl/Get-Acl for registry paths and -LiteralPath
+      New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS > $null
+      Push-Location -LiteralPath (Split-Path -Path $path -Qualifier)
+      $rights_key = if ((Get-Item -LiteralPath $path -Force).PSProvider.Name -eq "Registry") {
+          "RegistryRights"
+      } else {
+          "FileSystemRights"
+      }
       $ace_list = (Get-Acl -LiteralPath $path).Access | Where-Object { $_.IsInherited -eq $false } | ForEach-Object {
           @{
-              rights = $_.FileSystemRights.ToString()
+              rights = $_."$rights_key".ToString()
               type = $_.AccessControlType.ToString()
               identity = $_.IdentityReference.Value.ToString()
               inheritance_flags = $_.InheritanceFlags.ToString()
               propagation_flags = $_.PropagationFlags.ToString()
           }
       }
+      Pop-Location
       ConvertTo-Json -InputObject @($ace_list)
 
 - name: add write rights to Guest
@@ -161,3 +170,151 @@
   assert:
     that:
     - not remove_deny_right_again is changed
+
+- name: add write rights to Guest - registry
+  win_acl:
+    path: '{{ test_acl_reg_path }}'
+    type: allow
+    user: Guests
+    rights: WriteKey
+  register: allow_right_reg
+
+- name: get result of add write rights to Guest - registry
+  win_shell: '$path = ''{{ test_acl_reg_path }}''; {{ test_ace_cmd }}'
+  register: allow_right_reg_actual
+
+- name: assert add write rights to Guest - registry
+  assert:
+    that:
+    - allow_right_reg is changed
+    - (allow_right_reg_actual.stdout|from_json)|count == 1
+    - (allow_right_reg_actual.stdout|from_json)[0].identity == 'BUILTIN\Guests'
+    - (allow_right_reg_actual.stdout|from_json)[0].inheritance_flags == 'ContainerInherit, ObjectInherit'
+    - (allow_right_reg_actual.stdout|from_json)[0].propagation_flags == 'None'
+    - (allow_right_reg_actual.stdout|from_json)[0].rights == 'WriteKey'
+    - (allow_right_reg_actual.stdout|from_json)[0].type == 'Allow'
+
+- name: add write rights to Guest (idempotent) - registry
+  win_acl:
+    path: '{{ test_acl_reg_path }}'
+    type: allow
+    user: Guests
+    rights: WriteKey
+  register: allow_right_reg_again
+
+- name: assert add write rights to Guest (idempotent) - registry
+  assert:
+    that:
+    - not allow_right_reg_again is changed
+
+- name: remove write rights from Guest - registry
+  win_acl:
+    path: '{{ test_acl_reg_path }}'
+    type: allow
+    user: Guests
+    rights: WriteKey
+    state: absent
+  register: remove_right_reg
+
+- name: get result of remove write rights from Guest - registry
+  win_shell: '$path = ''{{ test_acl_reg_path }}''; {{ test_ace_cmd }}'
+  register: remove_right_reg_actual
+
+- name: assert remove write rights from Guest - registry
+  assert:
+    that:
+    - remove_right_reg is changed
+    - remove_right_reg_actual.stdout_lines == ["[", "", "]"]
+
+- name: remove write rights from Guest (idempotent) - registry
+  win_acl:
+    path: '{{ test_acl_reg_path }}'
+    type: allow
+    user: Guests
+    rights: WriteKey
+    state: absent
+  register: remove_right_reg_again
+
+- name: assert remote write rights from Guest (idempotent) - registry
+  assert:
+    that:
+    - not remove_right_reg_again is changed
+
+- name: add deny write rights to Guest - registry
+  win_acl:
+    path: '{{ test_acl_reg_path }}'
+    type: deny
+    user: Guests
+    rights: WriteKey
+    inherit: ContainerInherit
+    propagation: NoPropagateInherit
+    state: present
+  register: add_deny_right_reg
+
+- name: get result of add deny write rights to Guest - registry
+  win_shell: '$path = ''{{ test_acl_reg_path }}''; {{ test_ace_cmd }}'
+  register: add_deny_right_reg_actual
+
+- name: assert add deny write rights to Guest - registry
+  assert:
+    that:
+    - add_deny_right_reg is changed
+    - (add_deny_right_reg_actual.stdout|from_json)|count == 1
+    - (add_deny_right_reg_actual.stdout|from_json)[0].identity == 'BUILTIN\Guests'
+    - (add_deny_right_reg_actual.stdout|from_json)[0].inheritance_flags == 'ContainerInherit'
+    - (add_deny_right_reg_actual.stdout|from_json)[0].propagation_flags == 'NoPropagateInherit'
+    - (add_deny_right_reg_actual.stdout|from_json)[0].rights == 'WriteKey'
+    - (add_deny_right_reg_actual.stdout|from_json)[0].type == 'Deny'
+
+- name: add deny write rights to Guest (idempotent) - registry
+  win_acl:
+    path: '{{ test_acl_reg_path }}'
+    type: deny
+    user: Guests
+    rights: WriteKey
+    inherit: ContainerInherit
+    propagation: NoPropagateInherit
+    state: present
+  register: add_deny_right_reg_again
+
+- name: assert add deny write rights to Guest (idempotent) - registry
+  assert:
+    that:
+    - not add_deny_right_reg_again is changed
+
+- name: remove deny write rights from Guest - registry
+  win_acl:
+    path: '{{ test_acl_reg_path }}'
+    type: deny
+    user: Guests
+    rights: WriteKey
+    inherit: ContainerInherit
+    propagation: NoPropagateInherit
+    state: absent
+  register: remove_deny_right_reg
+
+- name: get result of remove deny write rights from Guest - registry
+  win_shell: '$path = ''{{ test_acl_reg_path }}''; {{ test_ace_cmd }}'
+  register: remove_deny_right_reg_actual
+
+- name: assert remove deny write rights from Guest - registry
+  assert:
+    that:
+    - remove_deny_right_reg is changed
+    - remove_deny_right_reg_actual.stdout_lines == ["[", "", "]"]
+
+- name: remove deny write rights from Guest (idempotent) - registry
+  win_acl:
+    path: '{{ test_acl_reg_path }}'
+    type: deny
+    user: Guests
+    rights: WriteKey
+    inherit: ContainerInherit
+    propagation: NoPropagateInherit
+    state: absent
+  register: remove_deny_right_reg_again
+
+- name: assert remove deny write rights from Guest (idempotent) - registry
+  assert:
+    that:
+    - not remove_deny_right_reg_again is changed