mirror of https://github.com/ansible/ansible.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
306 lines
10 KiB
YAML
306 lines
10 KiB
YAML
- set_fact:
|
|
become_test_username: ansible_become_test
|
|
become_test_admin_username: ansible_become_admin
|
|
gen_pw: password123! + {{ lookup('password', '/dev/null chars=ascii_letters,digits length=8') }}
|
|
|
|
- name: create unprivileged user
|
|
win_user:
|
|
name: "{{ become_test_username }}"
|
|
password: "{{ gen_pw }}"
|
|
update_password: always
|
|
groups: Users
|
|
register: user_limited_result
|
|
|
|
- name: create a privileged user
|
|
win_user:
|
|
name: "{{ become_test_admin_username }}"
|
|
password: "{{ gen_pw }}"
|
|
update_password: always
|
|
groups: Administrators
|
|
register: user_admin_result
|
|
|
|
- name: add requisite logon rights for test user
|
|
win_user_right:
|
|
name: '{{item}}'
|
|
users: '{{become_test_username}}'
|
|
action: add
|
|
with_items:
|
|
- SeNetworkLogonRight
|
|
- SeInteractiveLogonRight
|
|
- SeBatchLogonRight
|
|
|
|
- name: execute tests and ensure that test user is deleted regardless of success/failure
|
|
block:
|
|
- name: ensure current user is not the become user
|
|
win_whoami:
|
|
register: whoami_out
|
|
failed_when: whoami_out.account.sid == user_limited_result.sid or whoami_out.account.sid == user_admin_result.sid
|
|
|
|
- name: get become user profile dir so we can clean it up later
|
|
vars: &become_vars
|
|
ansible_become_user: "{{ become_test_username }}"
|
|
ansible_become_password: "{{ gen_pw }}"
|
|
ansible_become_method: runas
|
|
ansible_become: yes
|
|
win_shell: $env:USERPROFILE
|
|
register: profile_dir_out
|
|
|
|
- name: ensure profile dir contains test username (eg, if become fails silently, prevent deletion of real user profile)
|
|
assert:
|
|
that:
|
|
- become_test_username in profile_dir_out.stdout_lines[0]
|
|
|
|
- name: get become admin user profile dir so we can clean it up later
|
|
vars: &admin_become_vars
|
|
ansible_become_user: "{{ become_test_admin_username }}"
|
|
ansible_become_password: "{{ gen_pw }}"
|
|
ansible_become_method: runas
|
|
ansible_become: yes
|
|
win_shell: $env:USERPROFILE
|
|
register: admin_profile_dir_out
|
|
|
|
- name: ensure profile dir contains admin test username
|
|
assert:
|
|
that:
|
|
- become_test_admin_username in admin_profile_dir_out.stdout_lines[0]
|
|
|
|
- name: test become runas via task vars (underprivileged user)
|
|
vars: *become_vars
|
|
win_whoami:
|
|
register: whoami_out
|
|
|
|
- name: verify output
|
|
assert:
|
|
that:
|
|
- whoami_out.account.sid == user_limited_result.sid
|
|
- whoami_out.account.account_name == become_test_username
|
|
- whoami_out.label.account_name == 'Medium Mandatory Level'
|
|
- whoami_out.label.sid == 'S-1-16-8192'
|
|
- whoami_out.logon_type == 'Interactive'
|
|
|
|
- name: test become runas via task vars (privileged user)
|
|
vars: *admin_become_vars
|
|
win_whoami:
|
|
register: whoami_out
|
|
|
|
- name: verify output
|
|
assert:
|
|
that:
|
|
- whoami_out.account.sid == user_admin_result.sid
|
|
- whoami_out.account.account_name == become_test_admin_username
|
|
- whoami_out.label.account_name == 'High Mandatory Level'
|
|
- whoami_out.label.sid == 'S-1-16-12288'
|
|
- whoami_out.logon_type == 'Interactive'
|
|
|
|
- name: test become runas via task keywords
|
|
vars:
|
|
ansible_become_password: "{{ gen_pw }}"
|
|
become: yes
|
|
become_method: runas
|
|
become_user: "{{ become_test_username }}"
|
|
win_shell: whoami
|
|
register: whoami_out
|
|
|
|
- name: verify output
|
|
assert:
|
|
that:
|
|
- whoami_out.stdout_lines[0].endswith(become_test_username)
|
|
|
|
- name: test become via block vars
|
|
vars: *become_vars
|
|
block:
|
|
- name: ask who the current user is
|
|
win_whoami:
|
|
register: whoami_out
|
|
|
|
- name: verify output
|
|
assert:
|
|
that:
|
|
- whoami_out.account.sid == user_limited_result.sid
|
|
- whoami_out.account.account_name == become_test_username
|
|
- whoami_out.label.account_name == 'Medium Mandatory Level'
|
|
- whoami_out.label.sid == 'S-1-16-8192'
|
|
- whoami_out.logon_type == 'Interactive'
|
|
|
|
- name: test with module that will return non-zero exit code (https://github.com/ansible/ansible/issues/30468)
|
|
vars: *become_vars
|
|
setup:
|
|
|
|
- name: test become with SYSTEM account
|
|
win_whoami:
|
|
become: yes
|
|
become_method: runas
|
|
become_user: SYSTEM
|
|
register: whoami_out
|
|
|
|
- name: verify output
|
|
assert:
|
|
that:
|
|
- whoami_out.account.sid == "S-1-5-18"
|
|
- whoami_out.account.account_name == "SYSTEM"
|
|
- whoami_out.account.domain_name == "NT AUTHORITY"
|
|
- whoami_out.label.account_name == 'System Mandatory Level'
|
|
- whoami_out.label.sid == 'S-1-16-16384'
|
|
- whoami_out.logon_type == 'System'
|
|
|
|
- name: test become with NetworkService account
|
|
win_whoami:
|
|
become: yes
|
|
become_method: runas
|
|
become_user: NetworkService
|
|
register: whoami_out
|
|
|
|
- name: verify output
|
|
assert:
|
|
that:
|
|
- whoami_out.account.sid == "S-1-5-20"
|
|
- whoami_out.account.account_name == "NETWORK SERVICE"
|
|
- whoami_out.account.domain_name == "NT AUTHORITY"
|
|
- whoami_out.label.account_name == 'System Mandatory Level'
|
|
- whoami_out.label.sid == 'S-1-16-16384'
|
|
- whoami_out.logon_type == 'Service'
|
|
|
|
- name: test become with LocalService account
|
|
win_whoami:
|
|
become: yes
|
|
become_method: runas
|
|
become_user: LocalService
|
|
register: whoami_out
|
|
|
|
- name: verify output
|
|
assert:
|
|
that:
|
|
- whoami_out.account.sid == "S-1-5-19"
|
|
- whoami_out.account.account_name == "LOCAL SERVICE"
|
|
- whoami_out.account.domain_name == "NT AUTHORITY"
|
|
- whoami_out.label.account_name == 'System Mandatory Level'
|
|
- whoami_out.label.sid == 'S-1-16-16384'
|
|
- whoami_out.logon_type == 'Service'
|
|
|
|
# Test out Async on Windows Server 2012+
|
|
- name: get OS version
|
|
win_shell: |
|
|
$version = [System.Environment]::OSVersion.Version
|
|
if ($version -ge [Version]"6.2") {
|
|
"async"
|
|
} elseif ($version -lt [Version]"6.1") {
|
|
"old-gramps"
|
|
} else {
|
|
""
|
|
}
|
|
register: os_version
|
|
|
|
- name: test become + async on older hosts
|
|
vars: *become_vars
|
|
win_command: whoami
|
|
async: 10
|
|
register: whoami_out
|
|
ignore_errors: yes
|
|
|
|
- name: verify older hosts failed with become + async
|
|
assert:
|
|
that:
|
|
- whoami_out is failed
|
|
when: os_version.stdout_lines[0] != "async"
|
|
|
|
- name: verify newer hosts worked with become + async
|
|
assert:
|
|
that:
|
|
- whoami_out is successful
|
|
when: os_version.stdout_lines[0] == "async"
|
|
|
|
- name: test failure with string become invalid key
|
|
vars: *become_vars
|
|
win_whoami:
|
|
become_flags: logon_type=batch invalid_flags=a
|
|
become_method: runas
|
|
register: failed_flags_invalid_key
|
|
failed_when: failed_flags_invalid_key.msg != "become_flags key 'invalid_flags' is not a valid runas flag, must be 'logon_type' or 'logon_flags'"
|
|
|
|
- name: test failure with invalid logon_type
|
|
vars: *become_vars
|
|
win_whoami:
|
|
become_flags: logon_type=invalid
|
|
register: failed_flags_invalid_type
|
|
failed_when: "failed_flags_invalid_type.msg != \"become_flags logon_type value 'invalid' is not valid, valid values are: interactive, network, batch, service, unlock, network_cleartext, new_credentials\""
|
|
|
|
- name: test failure with invalid logon_flag
|
|
vars: *become_vars
|
|
win_whoami:
|
|
become_flags: logon_flags=with_profile,invalid
|
|
register: failed_flags_invalid_flag
|
|
failed_when: "failed_flags_invalid_flag.msg != \"become_flags logon_flags value 'invalid' is not valid, valid values are: with_profile, netcredentials_only\""
|
|
|
|
# Server 2008 doesn't work with network and network_cleartext, there isn't really a reason why you would want this anyway
|
|
- name: become different types
|
|
vars: *become_vars
|
|
win_whoami:
|
|
become_flags: logon_type={{item.type}}
|
|
register: become_logon_type
|
|
when: not ((item.type == 'network' or item.type == 'network_cleartext') and os_version.stdout_lines[0] == "old-gramps")
|
|
failed_when: become_logon_type.logon_type != item.actual and become_logon_type.sid != user_limited_result.sid
|
|
with_items:
|
|
- type: interactive
|
|
actual: Interactive
|
|
- type: batch
|
|
actual: Batch
|
|
- type: network
|
|
actual: Network
|
|
- type: network_cleartext
|
|
actual: NetworkCleartext
|
|
|
|
- name: become netcredentials with network user
|
|
vars:
|
|
ansible_become_user: fakeuser
|
|
ansible_become_password: fakepassword
|
|
ansible_become_method: runas
|
|
ansible_become: True
|
|
ansible_become_flags: logon_type=new_credentials logon_flags=netcredentials_only
|
|
win_whoami:
|
|
register: become_netcredentials
|
|
|
|
- name: assert become netcredentials with network user
|
|
assert:
|
|
that:
|
|
# new_credentials still come up as the ansible_user so we can't test that
|
|
- become_netcredentials.label.account_name == 'High Mandatory Level'
|
|
- become_netcredentials.label.sid == 'S-1-16-12288'
|
|
|
|
# FUTURE: test raw + script become behavior once they're running under the exec wrapper again
|
|
# FUTURE: add standalone playbook tests to include password prompting and play become keywords
|
|
|
|
always:
|
|
- name: remove explicit logon rights for test user
|
|
win_user_right:
|
|
name: '{{item}}'
|
|
users: '{{become_test_username}}'
|
|
action: remove
|
|
with_items:
|
|
- SeNetworkLogonRight
|
|
- SeInteractiveLogonRight
|
|
- SeBatchLogonRight
|
|
|
|
- name: ensure underprivileged test user is deleted
|
|
win_user:
|
|
name: "{{ become_test_username }}"
|
|
state: absent
|
|
|
|
- name: ensure privileged test user is deleted
|
|
win_user:
|
|
name: "{{ become_test_admin_username }}"
|
|
state: absent
|
|
|
|
- name: ensure underprivileged test user profile is deleted
|
|
# NB: have to work around powershell limitation of long filenames until win_file fixes it
|
|
win_shell: rmdir /S /Q {{ profile_dir_out.stdout_lines[0] }}
|
|
args:
|
|
executable: cmd.exe
|
|
when: become_test_username in profile_dir_out.stdout_lines[0]
|
|
|
|
- name: ensure privileged test user profile is deleted
|
|
# NB: have to work around powershell limitation of long filenames until win_file fixes it
|
|
win_shell: rmdir /S /Q {{ admin_profile_dir_out.stdout_lines[0] }}
|
|
args:
|
|
executable: cmd.exe
|
|
when: become_test_admin_username in admin_profile_dir_out.stdout_lines[0]
|