mirror of https://github.com/ansible/ansible.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
113 lines
3.9 KiB
PowerShell
113 lines
3.9 KiB
PowerShell
#!powershell
|
|
|
|
#AnsibleRequires -CSharpUtil Ansible.Basic
|
|
#Requires -Module Ansible.ModuleUtils.PrivilegeUtil
|
|
|
|
$module = [Ansible.Basic.AnsibleModule]::Create($args, @{})
|
|
|
|
Function Assert-Equals($actual, $expected) {
|
|
if ($actual -cne $expected) {
|
|
$call_stack = (Get-PSCallStack)[1]
|
|
$module.Result.actual = $actual
|
|
$module.Result.expected = $expected
|
|
$module.Result.line = $call_stack.ScriptLineNumber
|
|
$module.Result.method = $call_stack.Position.Text
|
|
$module.FailJson("AssertionError: actual != expected")
|
|
}
|
|
}
|
|
|
|
# taken from https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/privilege-constants
|
|
$total_privileges = @(
|
|
"SeAssignPrimaryTokenPrivilege",
|
|
"SeAuditPrivilege",
|
|
"SeBackupPrivilege",
|
|
"SeChangeNotifyPrivilege",
|
|
"SeCreateGlobalPrivilege",
|
|
"SeCreatePagefilePrivilege",
|
|
"SeCreatePermanentPrivilege",
|
|
"SeCreateSymbolicLinkPrivilege",
|
|
"SeCreateTokenPrivilege",
|
|
"SeDebugPrivilege",
|
|
"SeEnableDelegationPrivilege",
|
|
"SeImpersonatePrivilege",
|
|
"SeIncreaseBasePriorityPrivilege",
|
|
"SeIncreaseQuotaPrivilege",
|
|
"SeIncreaseWorkingSetPrivilege",
|
|
"SeLoadDriverPrivilege",
|
|
"SeLockMemoryPrivilege",
|
|
"SeMachineAccountPrivilege",
|
|
"SeManageVolumePrivilege",
|
|
"SeProfileSingleProcessPrivilege",
|
|
"SeRelabelPrivilege",
|
|
"SeRemoteShutdownPrivilege",
|
|
"SeRestorePrivilege",
|
|
"SeSecurityPrivilege",
|
|
"SeShutdownPrivilege",
|
|
"SeSyncAgentPrivilege",
|
|
"SeSystemEnvironmentPrivilege",
|
|
"SeSystemProfilePrivilege",
|
|
"SeSystemtimePrivilege",
|
|
"SeTakeOwnershipPrivilege",
|
|
"SeTcbPrivilege",
|
|
"SeTimeZonePrivilege",
|
|
"SeTrustedCredManAccessPrivilege",
|
|
"SeUndockPrivilege"
|
|
)
|
|
|
|
$raw_privilege_output = &whoami /priv | Where-Object { $_.StartsWith("Se") }
|
|
$actual_privileges = @{}
|
|
foreach ($raw_privilege in $raw_privilege_output) {
|
|
$split = $raw_privilege.TrimEnd() -split " "
|
|
$actual_privileges."$($split[0])" = ($split[-1] -eq "Enabled")
|
|
}
|
|
$process = [Ansible.Privilege.PrivilegeUtil]::GetCurrentProcess()
|
|
|
|
### Test PS cmdlets ###
|
|
# test ps Get-AnsiblePrivilege
|
|
foreach ($privilege in $total_privileges) {
|
|
$expected = $null
|
|
if ($actual_privileges.ContainsKey($privilege)) {
|
|
$expected = $actual_privileges.$privilege
|
|
}
|
|
$actual = Get-AnsiblePrivilege -Name $privilege
|
|
Assert-Equals -actual $actual -expected $expected
|
|
}
|
|
|
|
# test c# GetAllPrivilegeInfo
|
|
$actual = [Ansible.Privilege.PrivilegeUtil]::GetAllPrivilegeInfo($process)
|
|
Assert-Equals -actual $actual.GetType().Name -expected 'Dictionary`2'
|
|
Assert-Equals -actual $actual.Count -expected $actual_privileges.Count
|
|
foreach ($privilege in $total_privileges) {
|
|
if ($actual_privileges.ContainsKey($privilege)) {
|
|
$actual_value = $actual.$privilege
|
|
if ($actual_privileges.$privilege) {
|
|
Assert-Equals -actual $actual_value.HasFlag([Ansible.Privilege.PrivilegeAttributes]::Enabled) -expected $true
|
|
} else {
|
|
Assert-Equals -actual $actual_value.HasFlag([Ansible.Privilege.PrivilegeAttributes]::Enabled) -expected $false
|
|
}
|
|
}
|
|
}
|
|
|
|
# test Set-AnsiblePrivilege
|
|
Set-AnsiblePrivilege -Name SeUndockPrivilege -Value $false # ensure we start with a disabled privilege
|
|
|
|
Set-AnsiblePrivilege -Name SeUndockPrivilege -Value $true -WhatIf
|
|
$actual = Get-AnsiblePrivilege -Name SeUndockPrivilege
|
|
Assert-Equals -actual $actual -expected $false
|
|
|
|
Set-AnsiblePrivilege -Name SeUndockPrivilege -Value $true
|
|
$actual = Get-AnsiblePrivilege -Name SeUndockPrivilege
|
|
Assert-Equals -actual $actual -expected $true
|
|
|
|
Set-AnsiblePrivilege -Name SeUndockPrivilege -Value $false -WhatIf
|
|
$actual = Get-AnsiblePrivilege -Name SeUndockPrivilege
|
|
Assert-Equals -actual $actual -expected $true
|
|
|
|
Set-AnsiblePrivilege -Name SeUndockPrivilege -Value $false
|
|
$actual = Get-AnsiblePrivilege -Name SeUndockPrivilege
|
|
Assert-Equals -actual $actual -expected $false
|
|
|
|
$module.Result.data = "success"
|
|
$module.ExitJson()
|
|
|