diff --git a/test/integration/targets/apt/tasks/repo.yml b/test/integration/targets/apt/tasks/repo.yml index e1863f38b6e..35e6ce01878 100644 --- a/test/integration/targets/apt/tasks/repo.yml +++ b/test/integration/targets/apt/tasks/repo.yml @@ -263,3 +263,26 @@ state: absent when: - aptitude_status.stdout.find('ii') == -1 + +- block: + - name: Install the foo package with diff=yes + apt: + name: foo + allow_unauthenticated: yes + diff: yes + register: apt_result + + - debug: + var: apt_result + + - name: Check the content of diff.prepared + assert: + that: + - apt_result is success + - "'The following NEW packages will be installed:\n foo' in apt_result.diff.prepared" + always: + - name: Clean up + apt: + name: foo + state: absent + allow_unauthenticated: yes diff --git a/test/integration/targets/incidental_win_security_policy/aliases b/test/integration/targets/incidental_win_security_policy/aliases deleted file mode 100644 index a5fc90dcf48..00000000000 --- a/test/integration/targets/incidental_win_security_policy/aliases +++ /dev/null @@ -1,2 +0,0 @@ -shippable/windows/incidental -windows diff --git a/test/integration/targets/incidental_win_security_policy/library/test_win_security_policy.ps1 b/test/integration/targets/incidental_win_security_policy/library/test_win_security_policy.ps1 deleted file mode 100644 index 5c83c1b5d0d..00000000000 --- a/test/integration/targets/incidental_win_security_policy/library/test_win_security_policy.ps1 +++ /dev/null @@ -1,53 +0,0 @@ -#!powershell - -# WANT_JSON -# POWERSHELL_COMMON - -# basic script to get the lsit of users in a particular right -# this is quite complex to put as a simple script so this is -# just a simple module - -$ErrorActionPreference = 'Stop' - -$params = Parse-Args $args -supports_check_mode $false -$section = Get-AnsibleParam -obj $params -name "section" -type "str" -failifempty $true -$key = Get-AnsibleParam -obj $params -name "key" -type "str" -failifempty $true - -$result = @{ - changed = $false -} - -Function ConvertFrom-Ini($file_path) { - $ini = @{} - switch -Regex -File $file_path { - "^\[(.+)\]" { - $section = $matches[1] - $ini.$section = @{} - } - "(.+?)\s*=(.*)" { - $name = $matches[1].Trim() - $value = $matches[2].Trim() - if ($value -match "^\d+$") { - $value = [int]$value - } elseif ($value.StartsWith('"') -and $value.EndsWith('"')) { - $value = $value.Substring(1, $value.Length - 2) - } - - $ini.$section.$name = $value - } - } - - $ini -} - -$secedit_ini_path = [IO.Path]::GetTempFileName() -&SecEdit.exe /export /cfg $secedit_ini_path /quiet -$secedit_ini = ConvertFrom-Ini -file_path $secedit_ini_path - -if ($secedit_ini.ContainsKey($section)) { - $result.value = $secedit_ini.$section.$key -} else { - $result.value = $null -} - -Exit-Json $result diff --git a/test/integration/targets/incidental_win_security_policy/tasks/main.yml b/test/integration/targets/incidental_win_security_policy/tasks/main.yml deleted file mode 100644 index 28fdb5ea094..00000000000 --- a/test/integration/targets/incidental_win_security_policy/tasks/main.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -- name: get current entry for audit - test_win_security_policy: - section: Event Audit - key: AuditSystemEvents - register: before_value_audit - -- name: get current entry for guest - test_win_security_policy: - section: System Access - key: NewGuestName - register: before_value_guest - -- block: - - name: set AuditSystemEvents entry before tests - win_security_policy: - section: Event Audit - key: AuditSystemEvents - value: 0 - - - name: set NewGuestName entry before tests - win_security_policy: - section: System Access - key: NewGuestName - value: Guest - - - name: run tests - include_tasks: tests.yml - - always: - - name: reset entries for AuditSystemEvents - win_security_policy: - section: Event Audit - key: AuditSystemEvents - value: "{{before_value_audit.value}}" - - - name: reset entries for NewGuestName - win_security_policy: - section: System Access - key: NewGuestName - value: "{{before_value_guest.value}}" diff --git a/test/integration/targets/incidental_win_security_policy/tasks/tests.yml b/test/integration/targets/incidental_win_security_policy/tasks/tests.yml deleted file mode 100644 index 724b6010a34..00000000000 --- a/test/integration/targets/incidental_win_security_policy/tasks/tests.yml +++ /dev/null @@ -1,186 +0,0 @@ ---- -- name: fail with invalid section name - win_security_policy: - section: This is not a valid section - key: KeyName - value: 0 - register: fail_invalid_section - failed_when: fail_invalid_section.msg != "The section 'This is not a valid section' does not exist in SecEdit.exe output ini" - -- name: fail with invalid key name - win_security_policy: - section: System Access - key: InvalidKey - value: 0 - register: fail_invalid_key - failed_when: fail_invalid_key.msg != "The key 'InvalidKey' in section 'System Access' is not a valid key, cannot set this value" - -- name: change existing key check - win_security_policy: - section: Event Audit - key: AuditSystemEvents - value: 1 - register: change_existing_check - check_mode: yes - -- name: get actual change existing key check - test_win_security_policy: - section: Event Audit - key: AuditSystemEvents - register: change_existing_actual_check - -- name: assert change existing key check - assert: - that: - - change_existing_check is changed - - change_existing_actual_check.value == 0 - -- name: change existing key - win_security_policy: - section: Event Audit - key: AuditSystemEvents - value: 1 - register: change_existing - -- name: get actual change existing key - test_win_security_policy: - section: Event Audit - key: AuditSystemEvents - register: change_existing_actual - -- name: assert change existing key - assert: - that: - - change_existing is changed - - change_existing_actual.value == 1 - -- name: change existing key again - win_security_policy: - section: Event Audit - key: AuditSystemEvents - value: 1 - register: change_existing_again - -- name: assert change existing key again - assert: - that: - - change_existing_again is not changed - - change_existing_again.value == 1 - -- name: change existing key with string type - win_security_policy: - section: Event Audit - key: AuditSystemEvents - value: "1" - register: change_existing_key_with_type - -- name: assert change existing key with string type - assert: - that: - - change_existing_key_with_type is not changed - - change_existing_key_with_type.value == "1" - -- name: change existing string key check - win_security_policy: - section: System Access - key: NewGuestName - value: New Guest - register: change_existing_string_check - check_mode: yes - -- name: get actual change existing string key check - test_win_security_policy: - section: System Access - key: NewGuestName - register: change_existing_string_actual_check - -- name: assert change existing string key check - assert: - that: - - change_existing_string_check is changed - - change_existing_string_actual_check.value == "Guest" - -- name: change existing string key - win_security_policy: - section: System Access - key: NewGuestName - value: New Guest - register: change_existing_string - -- name: get actual change existing string key - test_win_security_policy: - section: System Access - key: NewGuestName - register: change_existing_string_actual - -- name: assert change existing string key - assert: - that: - - change_existing_string is changed - - change_existing_string_actual.value == "New Guest" - -- name: change existing string key again - win_security_policy: - section: System Access - key: NewGuestName - value: New Guest - register: change_existing_string_again - -- name: assert change existing string key again - assert: - that: - - change_existing_string_again is not changed - - change_existing_string_again.value == "New Guest" - -- name: add policy setting - win_security_policy: - section: Privilege Rights - # following key is empty by default - key: SeCreateTokenPrivilege - # add Guests - value: '*S-1-5-32-546' - -- name: get actual policy setting - test_win_security_policy: - section: Privilege Rights - key: SeCreateTokenPrivilege - register: add_policy_setting_actual - -- name: assert add policy setting - assert: - that: - - add_policy_setting_actual.value == '*S-1-5-32-546' - -- name: remove policy setting - win_security_policy: - section: Privilege Rights - key: SeCreateTokenPrivilege - value: '' - diff: yes - register: remove_policy_setting - -- name: get actual policy setting - test_win_security_policy: - section: Privilege Rights - key: SeCreateTokenPrivilege - register: remove_policy_setting_actual - -- name: assert remove policy setting - assert: - that: - - remove_policy_setting is changed - - remove_policy_setting.diff.prepared == "[Privilege Rights]\n-SeCreateTokenPrivilege = *S-1-5-32-546\n+SeCreateTokenPrivilege = " - - remove_policy_setting_actual.value is none - -- name: remove policy setting again - win_security_policy: - section: Privilege Rights - key: SeCreateTokenPrivilege - value: '' - register: remove_policy_setting_again - -- name: assert remove policy setting again - assert: - that: - - remove_policy_setting_again is not changed - - remove_policy_setting_again.value == '' diff --git a/test/sanity/ignore.txt b/test/sanity/ignore.txt index 22ffadd21d1..37cbb3117fd 100644 --- a/test/sanity/ignore.txt +++ b/test/sanity/ignore.txt @@ -225,7 +225,6 @@ test/support/windows-integration/plugins/modules/win_feature.ps1 pslint!skip test/support/windows-integration/plugins/modules/win_find.ps1 pslint!skip test/support/windows-integration/plugins/modules/win_lineinfile.ps1 pslint!skip test/support/windows-integration/plugins/modules/win_regedit.ps1 pslint!skip -test/support/windows-integration/plugins/modules/win_security_policy.ps1 pslint!skip test/support/windows-integration/plugins/modules/win_shell.ps1 pslint!skip test/support/windows-integration/plugins/modules/win_wait_for.ps1 pslint!skip test/units/executor/test_play_iterator.py pylint:disallowed-name diff --git a/test/support/windows-integration/plugins/modules/win_security_policy.ps1 b/test/support/windows-integration/plugins/modules/win_security_policy.ps1 deleted file mode 100644 index 274204b6aaf..00000000000 --- a/test/support/windows-integration/plugins/modules/win_security_policy.ps1 +++ /dev/null @@ -1,196 +0,0 @@ -#!powershell - -# Copyright: (c) 2017, Jordan Borean -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) - -#Requires -Module Ansible.ModuleUtils.Legacy - -$ErrorActionPreference = 'Stop' - -$params = Parse-Args $args -supports_check_mode $true -$check_mode = Get-AnsibleParam -obj $params -name "_ansible_check_mode" -type "bool" -default $false -$diff_mode = Get-AnsibleParam -obj $Params -name "_ansible_diff" -type "bool" -default $false - -$section = Get-AnsibleParam -obj $params -name "section" -type "str" -failifempty $true -$key = Get-AnsibleParam -obj $params -name "key" -type "str" -failifempty $true -$value = Get-AnsibleParam -obj $params -name "value" -failifempty $true - -$result = @{ - changed = $false - section = $section - key = $key - value = $value -} - -if ($diff_mode) { - $result.diff = @{} -} - -Function Run-SecEdit($arguments) { - $stdout = $null - $stderr = $null - $log_path = [IO.Path]::GetTempFileName() - $arguments = $arguments + @("/log", $log_path) - - try { - $stdout = &SecEdit.exe $arguments | Out-String - } catch { - $stderr = $_.Exception.Message - } - $log = Get-Content -Path $log_path - Remove-Item -Path $log_path -Force - - $return = @{ - log = ($log -join "`n").Trim() - stdout = $stdout - stderr = $stderr - rc = $LASTEXITCODE - } - - return $return -} - -Function Export-SecEdit() { - $secedit_ini_path = [IO.Path]::GetTempFileName() - # while this will technically make a change to the system in check mode by - # creating a new file, we need these values to be able to do anything - # substantial in check mode - $export_result = Run-SecEdit -arguments @("/export", "/cfg", $secedit_ini_path, "/quiet") - - # check the return code and if the file has been populated, otherwise error out - if (($export_result.rc -ne 0) -or ((Get-Item -Path $secedit_ini_path).Length -eq 0)) { - Remove-Item -Path $secedit_ini_path -Force - $result.rc = $export_result.rc - $result.stdout = $export_result.stdout - $result.stderr = $export_result.stderr - Fail-Json $result "Failed to export secedit.ini file to $($secedit_ini_path)" - } - $secedit_ini = ConvertFrom-Ini -file_path $secedit_ini_path - - return $secedit_ini -} - -Function Import-SecEdit($ini) { - $secedit_ini_path = [IO.Path]::GetTempFileName() - $secedit_db_path = [IO.Path]::GetTempFileName() - Remove-Item -Path $secedit_db_path -Force # needs to be deleted for SecEdit.exe /import to work - - $ini_contents = ConvertTo-Ini -ini $ini - Set-Content -Path $secedit_ini_path -Value $ini_contents - $result.changed = $true - - $import_result = Run-SecEdit -arguments @("/configure", "/db", $secedit_db_path, "/cfg", $secedit_ini_path, "/quiet") - $result.import_log = $import_result.log - Remove-Item -Path $secedit_ini_path -Force - if ($import_result.rc -ne 0) { - $result.rc = $import_result.rc - $result.stdout = $import_result.stdout - $result.stderr = $import_result.stderr - Fail-Json $result "Failed to import secedit.ini file from $($secedit_ini_path)" - } -} - -Function ConvertTo-Ini($ini) { - $content = @() - foreach ($key in $ini.GetEnumerator()) { - $section = $key.Name - $values = $key.Value - - $content += "[$section]" - foreach ($value in $values.GetEnumerator()) { - $value_key = $value.Name - $value_value = $value.Value - - if ($null -ne $value_value) { - $content += "$value_key = $value_value" - } - } - } - - return $content -join "`r`n" -} - -Function ConvertFrom-Ini($file_path) { - $ini = @{} - switch -Regex -File $file_path { - "^\[(.+)\]" { - $section = $matches[1] - $ini.$section = @{} - } - "(.+?)\s*=(.*)" { - $name = $matches[1].Trim() - $value = $matches[2].Trim() - if ($value -match "^\d+$") { - $value = [int]$value - } elseif ($value.StartsWith('"') -and $value.EndsWith('"')) { - $value = $value.Substring(1, $value.Length - 2) - } - - $ini.$section.$name = $value - } - } - - return $ini -} - -if ($section -eq "Privilege Rights") { - Add-Warning -obj $result -message "Using this module to edit rights and privileges is error-prone, use the win_user_right module instead" -} - -$will_change = $false -$secedit_ini = Export-SecEdit -if (-not ($secedit_ini.ContainsKey($section))) { - Fail-Json $result "The section '$section' does not exist in SecEdit.exe output ini" -} - -if ($secedit_ini.$section.ContainsKey($key)) { - $current_value = $secedit_ini.$section.$key - - if ($current_value -cne $value) { - if ($diff_mode) { - $result.diff.prepared = @" -[$section] --$key = $current_value -+$key = $value -"@ - } - - $secedit_ini.$section.$key = $value - $will_change = $true - } -} elseif ([string]$value -eq "") { - # Value is requested to be removed, and has already been removed, do nothing -} else { - if ($diff_mode) { - $result.diff.prepared = @" -[$section] -+$key = $value -"@ - } - $secedit_ini.$section.$key = $value - $will_change = $true -} - -if ($will_change -eq $true) { - $result.changed = $true - if (-not $check_mode) { - Import-SecEdit -ini $secedit_ini - - # secedit doesn't error out on improper entries, re-export and verify - # the changes occurred - $verification_ini = Export-SecEdit - $new_section_values = $verification_ini.$section - if ($new_section_values.ContainsKey($key)) { - $new_value = $new_section_values.$key - if ($new_value -cne $value) { - Fail-Json $result "Failed to change the value for key '$key' in section '$section', the value is still $new_value" - } - } elseif ([string]$value -eq "") { - # Value was empty, so OK if no longer in the result - } else { - Fail-Json $result "The key '$key' in section '$section' is not a valid key, cannot set this value" - } - } -} - -Exit-Json $result diff --git a/test/support/windows-integration/plugins/modules/win_security_policy.py b/test/support/windows-integration/plugins/modules/win_security_policy.py deleted file mode 100644 index d582a532317..00000000000 --- a/test/support/windows-integration/plugins/modules/win_security_policy.py +++ /dev/null @@ -1,126 +0,0 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*- - -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) - -# this is a windows documentation stub, actual code lives in the .ps1 -# file of the same name - -ANSIBLE_METADATA = {'metadata_version': '1.1', - 'status': ['preview'], - 'supported_by': 'community'} - -DOCUMENTATION = r''' ---- -module: win_security_policy -version_added: '2.4' -short_description: Change local security policy settings -description: -- Allows you to set the local security policies that are configured by - SecEdit.exe. -options: - section: - description: - - The ini section the key exists in. - - If the section does not exist then the module will return an error. - - Example sections to use are 'Account Policies', 'Local Policies', - 'Event Log', 'Restricted Groups', 'System Services', 'Registry' and - 'File System' - - If wanting to edit the C(Privilege Rights) section, use the - M(win_user_right) module instead. - type: str - required: yes - key: - description: - - The ini key of the section or policy name to modify. - - The module will return an error if this key is invalid. - type: str - required: yes - value: - description: - - The value for the ini key or policy name. - - If the key takes in a boolean value then 0 = False and 1 = True. - type: str - required: yes -notes: -- This module uses the SecEdit.exe tool to configure the values, more details - of the areas and keys that can be configured can be found here - U(https://msdn.microsoft.com/en-us/library/bb742512.aspx). -- If you are in a domain environment these policies may be set by a GPO policy, - this module can temporarily change these values but the GPO will override - it if the value differs. -- You can also run C(SecEdit.exe /export /cfg C:\temp\output.ini) to view the - current policies set on your system. -- When assigning user rights, use the M(win_user_right) module instead. -seealso: -- module: win_user_right -author: -- Jordan Borean (@jborean93) -''' - -EXAMPLES = r''' -- name: Change the guest account name - win_security_policy: - section: System Access - key: NewGuestName - value: Guest Account - -- name: Set the maximum password age - win_security_policy: - section: System Access - key: MaximumPasswordAge - value: 15 - -- name: Do not store passwords using reversible encryption - win_security_policy: - section: System Access - key: ClearTextPassword - value: 0 - -- name: Enable system events - win_security_policy: - section: Event Audit - key: AuditSystemEvents - value: 1 -''' - -RETURN = r''' -rc: - description: The return code after a failure when running SecEdit.exe. - returned: failure with secedit calls - type: int - sample: -1 -stdout: - description: The output of the STDOUT buffer after a failure when running - SecEdit.exe. - returned: failure with secedit calls - type: str - sample: check log for error details -stderr: - description: The output of the STDERR buffer after a failure when running - SecEdit.exe. - returned: failure with secedit calls - type: str - sample: failed to import security policy -import_log: - description: The log of the SecEdit.exe /configure job that configured the - local policies. This is used for debugging purposes on failures. - returned: secedit.exe /import run and change occurred - type: str - sample: Completed 6 percent (0/15) \tProcess Privilege Rights area. -key: - description: The key in the section passed to the module to modify. - returned: success - type: str - sample: NewGuestName -section: - description: The section passed to the module to modify. - returned: success - type: str - sample: System Access -value: - description: The value passed to the module to modify to. - returned: success - type: str - sample: Guest Account -'''