You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
ansible/test/integration/targets/win_whoami/tasks/main.yml

226 lines
8.9 KiB
YAML

---
- name: run win_whoami with normal execution
win_whoami:
register: win_whoami_result
- name: assert win_whoami with normal execution
assert:
that:
- not win_whoami_result is changed
- win_whoami_result.account.account_name is defined
- win_whoami_result.account.domain_name is defined
- win_whoami_result.account.sid is defined
- win_whoami_result.account.type == 'User'
- win_whoami_result.authentication_package is defined
- win_whoami_result.dns_domain_name is defined
- win_whoami_result.groups|count >= 1
- win_whoami_result.groups[0].account_name is defined
- win_whoami_result.groups[0].attributes is defined
- win_whoami_result.groups[0].domain_name is defined
- win_whoami_result.groups[0].sid is defined
- win_whoami_result.groups[0].type is defined
- win_whoami_result.impersonation_level == 'SecurityAnonymous'
- win_whoami_result.label.account_name == 'High Mandatory Level'
- win_whoami_result.label.domain_name == 'Mandatory Label'
- win_whoami_result.label.sid == 'S-1-16-12288'
- win_whoami_result.label.type == 'Label'
- win_whoami_result.login_domain is defined
- win_whoami_result.login_time is defined
- win_whoami_result.logon_id is defined
- win_whoami_result.logon_server is defined
- win_whoami_result.logon_type.startswith('Network')
- win_whoami_result.privileges is defined
- win_whoami_result.rights|count >= 1
- win_whoami_result.token_type == 'TokenPrimary'
- win_whoami_result.upn is defined
- win_whoami_result.user_flags is defined
- name: run win_whoami with SYSTEM execution
win_whoami:
become: yes
become_method: runas
become_user: SYSTEM
register: win_whoami_result
- name: assert win_whoami with SYSTEM execution
assert:
that:
- not win_whoami_result is changed
- win_whoami_result.account.account_name == 'SYSTEM'
- win_whoami_result.account.domain_name == 'NT AUTHORITY'
- win_whoami_result.account.sid == 'S-1-5-18'
- win_whoami_result.account.type == 'User'
- win_whoami_result.authentication_package is defined
- win_whoami_result.dns_domain_name is defined
- win_whoami_result.groups|count >= 1
- win_whoami_result.groups[0].account_name is defined
- win_whoami_result.groups[0].attributes is defined
- win_whoami_result.groups[0].domain_name is defined
- win_whoami_result.groups[0].sid is defined
- win_whoami_result.groups[0].type is defined
- win_whoami_result.impersonation_level == 'SecurityAnonymous'
- win_whoami_result.label.account_name == 'System Mandatory Level'
- win_whoami_result.label.domain_name == 'Mandatory Label'
- win_whoami_result.label.sid == 'S-1-16-16384'
- win_whoami_result.label.type == 'Label'
- win_whoami_result.login_domain is defined
- win_whoami_result.login_time is defined
- win_whoami_result.logon_id is defined
- win_whoami_result.logon_server is defined
- win_whoami_result.logon_type == 'System'
- win_whoami_result.privileges is defined
- win_whoami_result.rights|count >= 1
- win_whoami_result.token_type == 'TokenPrimary'
- win_whoami_result.upn is defined
- win_whoami_result.user_flags is defined
- set_fact:
become_username: ansible_become
become_username_limited: ansible_limited
gen_pw: password123! + {{lookup('password', '/dev/null chars=ascii_letters,digits length=8')}}
- name: ensure current user is not the become user
win_shell: whoami
register: whoami_out
failed_when: whoami_out.stdout_lines[0].endswith(become_username) or whoami_out.stdout_lines[0].endswith(become_username_limited)
- name: create user
win_user:
name: '{{become_username}}'
password: '{{gen_pw}}'
update_password: always
groups: Administrators
register: become_user_info
- name: create user limited
win_user:
name: '{{become_username_limited}}'
password: '{{gen_pw}}'
update_password: always
groups: Users
register: become_user_info_limited
- block:
- name: get become user profile dir so we can clean it up later
vars: &become_vars
ansible_become_user: '{{become_username}}'
ansible_become_password: '{{gen_pw}}'
ansible_become_method: runas
ansible_become: yes
win_shell: $env:USERPROFILE
register: profile_dir_out
- name: ensure profile dir contains test username (eg, if become fails silently, prevent deletion of real user profile)
assert:
that:
- become_username in profile_dir_out.stdout_lines[0]
- name: get become user limited profile dir so we can clean it up later
vars: &become_vars_limited
ansible_become_user: '{{become_username_limited}}'
ansible_become_password: '{{gen_pw}}'
ansible_become_method: runas
ansible_become: yes
win_shell: $env:USERPROFILE
register: profile_dir_out_limited
- name: ensure limited profile dir contains test username (eg, if become fails silently, prevent deletion of real user profile)
assert:
that:
- become_username_limited in profile_dir_out_limited.stdout_lines[0]
- name: run win_whoami with become execution
win_whoami:
vars: *become_vars
register: win_whoami_result
- name: assert win_whoami with become execution
assert:
that:
- not win_whoami_result is changed
- win_whoami_result.account.account_name == "ansible_become"
- win_whoami_result.account.domain_name is defined
- win_whoami_result.account.sid == become_user_info.sid
- win_whoami_result.account.type == 'User'
- win_whoami_result.authentication_package == "NTLM"
- win_whoami_result.dns_domain_name == ""
- win_whoami_result.groups|count >= 1
- win_whoami_result.groups[0].account_name is defined
- win_whoami_result.groups[0].attributes is defined
- win_whoami_result.groups[0].domain_name is defined
- win_whoami_result.groups[0].sid is defined
- win_whoami_result.groups[0].type is defined
- win_whoami_result.impersonation_level is defined
- win_whoami_result.label.account_name == 'High Mandatory Level'
- win_whoami_result.label.domain_name == 'Mandatory Label'
- win_whoami_result.label.sid == 'S-1-16-12288'
- win_whoami_result.label.type == 'Label'
- win_whoami_result.login_domain is defined
- win_whoami_result.login_time is defined
- win_whoami_result.logon_id is defined
- win_whoami_result.logon_server is defined
- win_whoami_result.logon_type == "Interactive"
- win_whoami_result.privileges is defined
- '"SeInteractiveLogonRight" in win_whoami_result.rights'
- win_whoami_result.token_type == 'TokenPrimary'
- win_whoami_result.upn == ''
- win_whoami_result.user_flags is defined
- name: run win_whoami with limited become execution
win_whoami:
vars: *become_vars_limited
register: win_whoami_result
- name: assert win_whoami with limited become execution
assert:
that:
- not win_whoami_result is changed
- win_whoami_result.account.account_name == "ansible_limited"
- win_whoami_result.account.domain_name is defined
- win_whoami_result.account.sid == become_user_info_limited.sid
- win_whoami_result.account.type == 'User'
- win_whoami_result.authentication_package == "NTLM"
- win_whoami_result.dns_domain_name == ""
- win_whoami_result.groups|count >= 1
- win_whoami_result.groups[0].account_name is defined
- win_whoami_result.groups[0].attributes is defined
- win_whoami_result.groups[0].domain_name is defined
- win_whoami_result.groups[0].sid is defined
- win_whoami_result.groups[0].type is defined
- win_whoami_result.impersonation_level is defined
- win_whoami_result.label.account_name == 'Medium Mandatory Level'
- win_whoami_result.label.domain_name == 'Mandatory Label'
- win_whoami_result.label.sid == 'S-1-16-8192'
- win_whoami_result.label.type == 'Label'
- win_whoami_result.login_domain is defined
- win_whoami_result.login_time is defined
- win_whoami_result.logon_id is defined
- win_whoami_result.logon_server is defined
- win_whoami_result.logon_type == "Interactive"
- win_whoami_result.privileges is defined
- win_whoami_result.rights == []
- win_whoami_result.token_type == 'TokenPrimary'
- win_whoami_result.upn == ''
- win_whoami_result.user_flags is defined
always:
- name: ensure test user is deleted
win_user:
name: '{{item}}'
state: absent
with_items:
- '{{become_username}}'
- '{{become_username_limited}}'
- name: ensure test user profile is deleted
win_shell: rmdir /S /Q {{profile_dir_out.stdout_lines[0]}}
args:
executable: cmd.exe
when: become_username in profile_dir_out.stdout_lines[0]
- name: ensure limited test user profile is deleted
win_shell: rmdir /S /Q {{profile_dir_out_limited.stdout_lines[0]}}
args:
executable: cmd.exe
when: become_username_limited in profile_dir_out_limited.stdout_lines[0]