|
|
@ -1,7 +1,7 @@
|
|
|
|
- set_fact:
|
|
|
|
- set_fact:
|
|
|
|
become_test_username: ansible_become_test
|
|
|
|
become_test_username: ansible_become_test
|
|
|
|
become_test_admin_username: ansible_become_admin
|
|
|
|
become_test_admin_username: ansible_become_admin
|
|
|
|
gen_pw: password123! + {{ lookup('password', '/dev/null chars=ascii_letters,digits length=8') }}
|
|
|
|
gen_pw: "{{ 'password123!' + lookup('password', '/dev/null chars=ascii_letters,digits length=8') }}"
|
|
|
|
|
|
|
|
|
|
|
|
- name: create unprivileged user
|
|
|
|
- name: create unprivileged user
|
|
|
|
win_user:
|
|
|
|
win_user:
|
|
|
@ -29,6 +29,10 @@
|
|
|
|
- SeInteractiveLogonRight
|
|
|
|
- SeInteractiveLogonRight
|
|
|
|
- SeBatchLogonRight
|
|
|
|
- SeBatchLogonRight
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: fetch current target date/time for log filtering
|
|
|
|
|
|
|
|
raw: '[datetime]::now | Out-String'
|
|
|
|
|
|
|
|
register: test_starttime
|
|
|
|
|
|
|
|
|
|
|
|
- name: execute tests and ensure that test user is deleted regardless of success/failure
|
|
|
|
- name: execute tests and ensure that test user is deleted regardless of success/failure
|
|
|
|
block:
|
|
|
|
block:
|
|
|
|
- name: ensure current user is not the become user
|
|
|
|
- name: ensure current user is not the become user
|
|
|
@ -82,7 +86,7 @@
|
|
|
|
vars: *admin_become_vars
|
|
|
|
vars: *admin_become_vars
|
|
|
|
win_whoami:
|
|
|
|
win_whoami:
|
|
|
|
register: whoami_out
|
|
|
|
register: whoami_out
|
|
|
|
|
|
|
|
|
|
|
|
- name: verify output
|
|
|
|
- name: verify output
|
|
|
|
assert:
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
that:
|
|
|
@ -121,7 +125,7 @@
|
|
|
|
- whoami_out.label.account_name == 'Medium Mandatory Level'
|
|
|
|
- whoami_out.label.account_name == 'Medium Mandatory Level'
|
|
|
|
- whoami_out.label.sid == 'S-1-16-8192'
|
|
|
|
- whoami_out.label.sid == 'S-1-16-8192'
|
|
|
|
- whoami_out.logon_type == 'Interactive'
|
|
|
|
- whoami_out.logon_type == 'Interactive'
|
|
|
|
|
|
|
|
|
|
|
|
- name: test with module that will return non-zero exit code (https://github.com/ansible/ansible/issues/30468)
|
|
|
|
- name: test with module that will return non-zero exit code (https://github.com/ansible/ansible/issues/30468)
|
|
|
|
vars: *become_vars
|
|
|
|
vars: *become_vars
|
|
|
|
setup:
|
|
|
|
setup:
|
|
|
@ -138,14 +142,14 @@
|
|
|
|
- '"Failed to become user " + become_test_username not in become_invalid_pass.msg'
|
|
|
|
- '"Failed to become user " + become_test_username not in become_invalid_pass.msg'
|
|
|
|
- '"LogonUser failed" not in become_invalid_pass.msg'
|
|
|
|
- '"LogonUser failed" not in become_invalid_pass.msg'
|
|
|
|
- '"Win32ErrorCode 1326)" not in become_invalid_pass.msg'
|
|
|
|
- '"Win32ErrorCode 1326)" not in become_invalid_pass.msg'
|
|
|
|
|
|
|
|
|
|
|
|
- name: test become with SYSTEM account
|
|
|
|
- name: test become with SYSTEM account
|
|
|
|
win_whoami:
|
|
|
|
win_whoami:
|
|
|
|
become: yes
|
|
|
|
become: yes
|
|
|
|
become_method: runas
|
|
|
|
become_method: runas
|
|
|
|
become_user: SYSTEM
|
|
|
|
become_user: SYSTEM
|
|
|
|
register: whoami_out
|
|
|
|
register: whoami_out
|
|
|
|
|
|
|
|
|
|
|
|
- name: verify output
|
|
|
|
- name: verify output
|
|
|
|
assert:
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
that:
|
|
|
@ -162,7 +166,7 @@
|
|
|
|
become_method: runas
|
|
|
|
become_method: runas
|
|
|
|
become_user: NetworkService
|
|
|
|
become_user: NetworkService
|
|
|
|
register: whoami_out
|
|
|
|
register: whoami_out
|
|
|
|
|
|
|
|
|
|
|
|
- name: verify output
|
|
|
|
- name: verify output
|
|
|
|
assert:
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
that:
|
|
|
@ -179,7 +183,7 @@
|
|
|
|
become_method: runas
|
|
|
|
become_method: runas
|
|
|
|
become_user: LocalService
|
|
|
|
become_user: LocalService
|
|
|
|
register: whoami_out
|
|
|
|
register: whoami_out
|
|
|
|
|
|
|
|
|
|
|
|
- name: verify output
|
|
|
|
- name: verify output
|
|
|
|
assert:
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
that:
|
|
|
@ -195,11 +199,12 @@
|
|
|
|
win_command: whoami
|
|
|
|
win_command: whoami
|
|
|
|
async: 10
|
|
|
|
async: 10
|
|
|
|
register: whoami_out
|
|
|
|
register: whoami_out
|
|
|
|
|
|
|
|
|
|
|
|
- name: verify become + async worked
|
|
|
|
- name: verify become + async worked
|
|
|
|
assert:
|
|
|
|
assert:
|
|
|
|
that:
|
|
|
|
that:
|
|
|
|
- whoami_out is successful
|
|
|
|
- whoami_out is successful
|
|
|
|
|
|
|
|
- become_test_username in whoami_out.stdout
|
|
|
|
|
|
|
|
|
|
|
|
- name: test failure with string become invalid key
|
|
|
|
- name: test failure with string become invalid key
|
|
|
|
vars: *become_vars
|
|
|
|
vars: *become_vars
|
|
|
@ -313,6 +318,18 @@
|
|
|
|
- nonascii_output.stdout_lines[0] == 'über den Fußgängerübergang gehen'
|
|
|
|
- nonascii_output.stdout_lines[0] == 'über den Fußgängerübergang gehen'
|
|
|
|
- nonascii_output.stderr == ''
|
|
|
|
- nonascii_output.stderr == ''
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: get PS events containing password or module args created since test start
|
|
|
|
|
|
|
|
raw: |
|
|
|
|
|
|
|
|
$dt=[datetime]"{{ test_starttime.stdout|trim }}"
|
|
|
|
|
|
|
|
(Get-WinEvent -LogName Microsoft-Windows-Powershell/Operational |
|
|
|
|
|
|
|
|
? { $_.TimeCreated -ge $dt -and $_.Message -match "{{ gen_pw }}|whoami" }).Count
|
|
|
|
|
|
|
|
register: ps_log_count
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: assert no PS events contain password or module args
|
|
|
|
|
|
|
|
assert:
|
|
|
|
|
|
|
|
that:
|
|
|
|
|
|
|
|
- ps_log_count.stdout | int == 0
|
|
|
|
|
|
|
|
|
|
|
|
# FUTURE: test raw + script become behavior once they're running under the exec wrapper again
|
|
|
|
# FUTURE: test raw + script become behavior once they're running under the exec wrapper again
|
|
|
|
# FUTURE: add standalone playbook tests to include password prompting and play become keywords
|
|
|
|
# FUTURE: add standalone playbook tests to include password prompting and play become keywords
|
|
|
|
|
|
|
|
|
|
|
|