archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Remove incidental_win_security_policy (#75654)

Browse Source 
* Add an intentional test for diff.prepared

ci_complete
ci_coverage

* Remove incidental_win_security_policy

* Forgot to remove this
pull/75670/head
Martin Krizek 3 years ago committed by GitHub
parent c2fa71c4e8
commit 63413dd483
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 23 additions and 605 deletions
Show Stats Download Patch File Download Diff File

23
test/integration/targets/apt/tasks/repo.yml
Unescape Escape View File

@ -263,3 +263,26 @@
state: absent
when:
- aptitude_status.stdout.find('ii') == -1
- block:
- name: Install the foo package with diff=yes
apt:
name: foo
allow_unauthenticated: yes
diff: yes
register: apt_result
- debug:
var: apt_result
- name: Check the content of diff.prepared
assert:
that:
- apt_result is success
- "'The following NEW packages will be installed:\n foo' in apt_result.diff.prepared"
always:
- name: Clean up
apt:
name: foo
state: absent
allow_unauthenticated: yes

2
test/integration/targets/incidental_win_security_policy/aliases
Unescape Escape View File

@ -1,2 +0,0 @@
shippable/windows/incidental
windows

53
test/integration/targets/incidental_win_security_policy/library/test_win_security_policy.ps1
Unescape Escape View File

@ -1,53 +0,0 @@
#!powershell
# WANT_JSON
# POWERSHELL_COMMON
# basic script to get the lsit of users in a particular right
# this is quite complex to put as a simple script so this is
# just a simple module
$ErrorActionPreference = 'Stop'
$params = Parse-Args $args -supports_check_mode $false
$section = Get-AnsibleParam -obj $params -name "section" -type "str" -failifempty $true
$key = Get-AnsibleParam -obj $params -name "key" -type "str" -failifempty $true
$result = @{
changed = $false
}
Function ConvertFrom-Ini($file_path) {
$ini = @{}
switch -Regex -File $file_path {
"^\[(.+)\]" {
$section = $matches[1]
$ini.$section = @{}
}
"(.+?)\s*=(.*)" {
$name = $matches[1].Trim()
$value = $matches[2].Trim()
if ($value -match "^\d+$") {
$value = [int]$value
} elseif ($value.StartsWith('"') -and $value.EndsWith('"')) {
$value = $value.Substring(1, $value.Length - 2)
}
$ini.$section.$name = $value
}
}
$ini
}
$secedit_ini_path = [IO.Path]::GetTempFileName()
&SecEdit.exe /export /cfg $secedit_ini_path /quiet
$secedit_ini = ConvertFrom-Ini -file_path $secedit_ini_path
if ($secedit_ini.ContainsKey($section)) {
$result.value = $secedit_ini.$section.$key
} else {
$result.value = $null
}
Exit-Json $result

41
test/integration/targets/incidental_win_security_policy/tasks/main.yml
Unescape Escape View File

@ -1,41 +0,0 @@
---
- name: get current entry for audit
test_win_security_policy:
section: Event Audit
key: AuditSystemEvents
register: before_value_audit
- name: get current entry for guest
test_win_security_policy:
section: System Access
key: NewGuestName
register: before_value_guest
- block:
- name: set AuditSystemEvents entry before tests
win_security_policy:
section: Event Audit
key: AuditSystemEvents
value: 0
- name: set NewGuestName entry before tests
win_security_policy:
section: System Access
key: NewGuestName
value: Guest
- name: run tests
include_tasks: tests.yml
always:
- name: reset entries for AuditSystemEvents
win_security_policy:
section: Event Audit
key: AuditSystemEvents
value: "{{before_value_audit.value}}"
- name: reset entries for NewGuestName
win_security_policy:
section: System Access
key: NewGuestName
value: "{{before_value_guest.value}}"

186
test/integration/targets/incidental_win_security_policy/tasks/tests.yml
Unescape Escape View File

@ -1,186 +0,0 @@
---
- name: fail with invalid section name
win_security_policy:
section: This is not a valid section
key: KeyName
value: 0
register: fail_invalid_section
failed_when: fail_invalid_section.msg != "The section 'This is not a valid section' does not exist in SecEdit.exe output ini"
- name: fail with invalid key name
win_security_policy:
section: System Access
key: InvalidKey
value: 0
register: fail_invalid_key
failed_when: fail_invalid_key.msg != "The key 'InvalidKey' in section 'System Access' is not a valid key, cannot set this value"
- name: change existing key check
win_security_policy:
section: Event Audit
key: AuditSystemEvents
value: 1
register: change_existing_check
check_mode: yes
- name: get actual change existing key check
test_win_security_policy:
section: Event Audit
key: AuditSystemEvents
register: change_existing_actual_check
- name: assert change existing key check
assert:
that:
- change_existing_check is changed
- change_existing_actual_check.value == 0
- name: change existing key
win_security_policy:
section: Event Audit
key: AuditSystemEvents
value: 1
register: change_existing
- name: get actual change existing key
test_win_security_policy:
section: Event Audit
key: AuditSystemEvents
register: change_existing_actual
- name: assert change existing key
assert:
that:
- change_existing is changed
- change_existing_actual.value == 1
- name: change existing key again
win_security_policy:
section: Event Audit
key: AuditSystemEvents
value: 1
register: change_existing_again
- name: assert change existing key again
assert:
that:
- change_existing_again is not changed
- change_existing_again.value == 1
- name: change existing key with string type
win_security_policy:
section: Event Audit
key: AuditSystemEvents
value: "1"
register: change_existing_key_with_type
- name: assert change existing key with string type
assert:
that:
- change_existing_key_with_type is not changed
- change_existing_key_with_type.value == "1"
- name: change existing string key check
win_security_policy:
section: System Access
key: NewGuestName
value: New Guest
register: change_existing_string_check
check_mode: yes
- name: get actual change existing string key check
test_win_security_policy:
section: System Access
key: NewGuestName
register: change_existing_string_actual_check
- name: assert change existing string key check
assert:
that:
- change_existing_string_check is changed
- change_existing_string_actual_check.value == "Guest"
- name: change existing string key
win_security_policy:
section: System Access
key: NewGuestName
value: New Guest
register: change_existing_string
- name: get actual change existing string key
test_win_security_policy:
section: System Access
key: NewGuestName
register: change_existing_string_actual
- name: assert change existing string key
assert:
that:
- change_existing_string is changed
- change_existing_string_actual.value == "New Guest"
- name: change existing string key again
win_security_policy:
section: System Access
key: NewGuestName
value: New Guest
register: change_existing_string_again
- name: assert change existing string key again
assert:
that:
- change_existing_string_again is not changed
- change_existing_string_again.value == "New Guest"
- name: add policy setting
win_security_policy:
section: Privilege Rights
# following key is empty by default
key: SeCreateTokenPrivilege
# add Guests
value: '*S-1-5-32-546'
- name: get actual policy setting
test_win_security_policy:
section: Privilege Rights
key: SeCreateTokenPrivilege
register: add_policy_setting_actual
- name: assert add policy setting
assert:
that:
- add_policy_setting_actual.value == '*S-1-5-32-546'
- name: remove policy setting
win_security_policy:
section: Privilege Rights
key: SeCreateTokenPrivilege
value: ''
diff: yes
register: remove_policy_setting
- name: get actual policy setting
test_win_security_policy:
section: Privilege Rights
key: SeCreateTokenPrivilege
register: remove_policy_setting_actual
- name: assert remove policy setting
assert:
that:
- remove_policy_setting is changed
- remove_policy_setting.diff.prepared == "[Privilege Rights]\n-SeCreateTokenPrivilege = *S-1-5-32-546\n+SeCreateTokenPrivilege = "
- remove_policy_setting_actual.value is none
- name: remove policy setting again
win_security_policy:
section: Privilege Rights
key: SeCreateTokenPrivilege
value: ''
register: remove_policy_setting_again
- name: assert remove policy setting again
assert:
that:
- remove_policy_setting_again is not changed
- remove_policy_setting_again.value == ''

1
test/sanity/ignore.txt
Unescape Escape View File

@ -225,7 +225,6 @@ test/support/windows-integration/plugins/modules/win_feature.ps1 pslint!skip
test/support/windows-integration/plugins/modules/win_find.ps1 pslint!skip
test/support/windows-integration/plugins/modules/win_lineinfile.ps1 pslint!skip
test/support/windows-integration/plugins/modules/win_regedit.ps1 pslint!skip
test/support/windows-integration/plugins/modules/win_security_policy.ps1 pslint!skip
test/support/windows-integration/plugins/modules/win_shell.ps1 pslint!skip
test/support/windows-integration/plugins/modules/win_wait_for.ps1 pslint!skip
test/units/executor/test_play_iterator.py pylint:disallowed-name

196
test/support/windows-integration/plugins/modules/win_security_policy.ps1
Unescape Escape View File

@ -1,196 +0,0 @@
#!powershell
# Copyright: (c) 2017, Jordan Borean <jborean93@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
#Requires -Module Ansible.ModuleUtils.Legacy
$ErrorActionPreference = 'Stop'
$params = Parse-Args $args -supports_check_mode $true
$check_mode = Get-AnsibleParam -obj $params -name "_ansible_check_mode" -type "bool" -default $false
$diff_mode = Get-AnsibleParam -obj $Params -name "_ansible_diff" -type "bool" -default $false
$section = Get-AnsibleParam -obj $params -name "section" -type "str" -failifempty $true
$key = Get-AnsibleParam -obj $params -name "key" -type "str" -failifempty $true
$value = Get-AnsibleParam -obj $params -name "value" -failifempty $true
$result = @{
changed = $false
section = $section
key = $key
value = $value
}
if ($diff_mode) {
$result.diff = @{}
}
Function Run-SecEdit($arguments) {
$stdout = $null
$stderr = $null
$log_path = [IO.Path]::GetTempFileName()
$arguments = $arguments + @("/log", $log_path)
try {
$stdout = &SecEdit.exe $arguments | Out-String
} catch {
$stderr = $_.Exception.Message
}
$log = Get-Content -Path $log_path
Remove-Item -Path $log_path -Force
$return = @{
log = ($log -join "`n").Trim()
stdout = $stdout
stderr = $stderr
rc = $LASTEXITCODE
}
return $return
}
Function Export-SecEdit() {
$secedit_ini_path = [IO.Path]::GetTempFileName()
# while this will technically make a change to the system in check mode by
# creating a new file, we need these values to be able to do anything
# substantial in check mode
$export_result = Run-SecEdit -arguments @("/export", "/cfg", $secedit_ini_path, "/quiet")
# check the return code and if the file has been populated, otherwise error out
if (($export_result.rc -ne 0) -or ((Get-Item -Path $secedit_ini_path).Length -eq 0)) {
Remove-Item -Path $secedit_ini_path -Force
$result.rc = $export_result.rc
$result.stdout = $export_result.stdout
$result.stderr = $export_result.stderr
Fail-Json $result "Failed to export secedit.ini file to $($secedit_ini_path)"
}
$secedit_ini = ConvertFrom-Ini -file_path $secedit_ini_path
return $secedit_ini
}
Function Import-SecEdit($ini) {
$secedit_ini_path = [IO.Path]::GetTempFileName()
$secedit_db_path = [IO.Path]::GetTempFileName()
Remove-Item -Path $secedit_db_path -Force # needs to be deleted for SecEdit.exe /import to work
$ini_contents = ConvertTo-Ini -ini $ini
Set-Content -Path $secedit_ini_path -Value $ini_contents
$result.changed = $true
$import_result = Run-SecEdit -arguments @("/configure", "/db", $secedit_db_path, "/cfg", $secedit_ini_path, "/quiet")
$result.import_log = $import_result.log
Remove-Item -Path $secedit_ini_path -Force
if ($import_result.rc -ne 0) {
$result.rc = $import_result.rc
$result.stdout = $import_result.stdout
$result.stderr = $import_result.stderr
Fail-Json $result "Failed to import secedit.ini file from $($secedit_ini_path)"
}
}
Function ConvertTo-Ini($ini) {
$content = @()
foreach ($key in $ini.GetEnumerator()) {
$section = $key.Name
$values = $key.Value
$content += "[$section]"
foreach ($value in $values.GetEnumerator()) {
$value_key = $value.Name
$value_value = $value.Value
if ($null -ne $value_value) {
$content += "$value_key = $value_value"
}
}
}
return $content -join "`r`n"
}
Function ConvertFrom-Ini($file_path) {
$ini = @{}
switch -Regex -File $file_path {
"^\[(.+)\]" {
$section = $matches[1]
$ini.$section = @{}
}
"(.+?)\s*=(.*)" {
$name = $matches[1].Trim()
$value = $matches[2].Trim()
if ($value -match "^\d+$") {
$value = [int]$value
} elseif ($value.StartsWith('"') -and $value.EndsWith('"')) {
$value = $value.Substring(1, $value.Length - 2)
}
$ini.$section.$name = $value
}
}
return $ini
}
if ($section -eq "Privilege Rights") {
Add-Warning -obj $result -message "Using this module to edit rights and privileges is error-prone, use the win_user_right module instead"
}
$will_change = $false
$secedit_ini = Export-SecEdit
if (-not ($secedit_ini.ContainsKey($section))) {
Fail-Json $result "The section '$section' does not exist in SecEdit.exe output ini"
}
if ($secedit_ini.$section.ContainsKey($key)) {
$current_value = $secedit_ini.$section.$key
if ($current_value -cne $value) {
if ($diff_mode) {
$result.diff.prepared = @"
[$section]
-$key = $current_value
+$key = $value
"@
}
$secedit_ini.$section.$key = $value
$will_change = $true
}
} elseif ([string]$value -eq "") {
# Value is requested to be removed, and has already been removed, do nothing
} else {
if ($diff_mode) {
$result.diff.prepared = @"
[$section]
+$key = $value
"@
}
$secedit_ini.$section.$key = $value
$will_change = $true
}
if ($will_change -eq $true) {
$result.changed = $true
if (-not $check_mode) {
Import-SecEdit -ini $secedit_ini
# secedit doesn't error out on improper entries, re-export and verify
# the changes occurred
$verification_ini = Export-SecEdit
$new_section_values = $verification_ini.$section
if ($new_section_values.ContainsKey($key)) {
$new_value = $new_section_values.$key
if ($new_value -cne $value) {
Fail-Json $result "Failed to change the value for key '$key' in section '$section', the value is still $new_value"
}
} elseif ([string]$value -eq "") {
# Value was empty, so OK if no longer in the result
} else {
Fail-Json $result "The key '$key' in section '$section' is not a valid key, cannot set this value"
}
}
}
Exit-Json $result

126
test/support/windows-integration/plugins/modules/win_security_policy.py
Unescape Escape View File

@ -1,126 +0,0 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# this is a windows documentation stub, actual code lives in the .ps1
# file of the same name
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community'}
DOCUMENTATION = r'''
---
module: win_security_policy
version_added: '2.4'
short_description: Change local security policy settings
description:
- Allows you to set the local security policies that are configured by
SecEdit.exe.
options:
section:
description:
- The ini section the key exists in.
- If the section does not exist then the module will return an error.
- Example sections to use are 'Account Policies', 'Local Policies',
'Event Log', 'Restricted Groups', 'System Services', 'Registry' and
'File System'
- If wanting to edit the C(Privilege Rights) section, use the
M(win_user_right) module instead.
type: str
required: yes
key:
description:
- The ini key of the section or policy name to modify.
- The module will return an error if this key is invalid.
type: str
required: yes
value:
description:
- The value for the ini key or policy name.
- If the key takes in a boolean value then 0 = False and 1 = True.
type: str
required: yes
notes:
- This module uses the SecEdit.exe tool to configure the values, more details
of the areas and keys that can be configured can be found here
U(https://msdn.microsoft.com/en-us/library/bb742512.aspx).
- If you are in a domain environment these policies may be set by a GPO policy,
this module can temporarily change these values but the GPO will override
it if the value differs.
- You can also run C(SecEdit.exe /export /cfg C:\temp\output.ini) to view the
current policies set on your system.
- When assigning user rights, use the M(win_user_right) module instead.
seealso:
- module: win_user_right
author:
- Jordan Borean (@jborean93)
'''
EXAMPLES = r'''
- name: Change the guest account name
win_security_policy:
section: System Access
key: NewGuestName
value: Guest Account
- name: Set the maximum password age
win_security_policy:
section: System Access
key: MaximumPasswordAge
value: 15
- name: Do not store passwords using reversible encryption
win_security_policy:
section: System Access
key: ClearTextPassword
value: 0
- name: Enable system events
win_security_policy:
section: Event Audit
key: AuditSystemEvents
value: 1
'''
RETURN = r'''
rc:
description: The return code after a failure when running SecEdit.exe.
returned: failure with secedit calls
type: int
sample: -1
stdout:
description: The output of the STDOUT buffer after a failure when running
SecEdit.exe.
returned: failure with secedit calls
type: str
sample: check log for error details
stderr:
description: The output of the STDERR buffer after a failure when running
SecEdit.exe.
returned: failure with secedit calls
type: str
sample: failed to import security policy
import_log:
description: The log of the SecEdit.exe /configure job that configured the
local policies. This is used for debugging purposes on failures.
returned: secedit.exe /import run and change occurred
type: str
sample: Completed 6 percent (0/15) \tProcess Privilege Rights area.
key:
description: The key in the section passed to the module to modify.
returned: success
type: str
sample: NewGuestName
section:
description: The section passed to the module to modify.
returned: success
type: str
sample: System Access
value:
description: The value passed to the module to modify to.
returned: success
type: str
sample: Guest Account
'''
Write Preview
Loading…
Cancel
Save