ansible/test/integration/targets/win_acl/tasks/tests.yml

363 lines
11 KiB
YAML
Raw Normal View History

# these are very basic tests, they should be expanded greatly as this is a core module
---
- name: get register cmd that will get ace info
set_fact:
test_ace_cmd: |
# Overcome bug in Set-Acl/Get-Acl for registry paths and -LiteralPath
New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS > $null
Push-Location -LiteralPath (Split-Path -Path $path -Qualifier)
$rights_key = if ((Get-Item -LiteralPath $path -Force).PSProvider.Name -eq "Registry") {
"RegistryRights"
} else {
"FileSystemRights"
}
2019-03-15 04:57:41 +00:00
$ace_list = (Get-Acl -LiteralPath $path).Access | Where-Object { $_.IsInherited -eq $false } | ForEach-Object {
@{
rights = $_."$rights_key".ToString()
type = $_.AccessControlType.ToString()
identity = $_.IdentityReference.Value.ToString()
inheritance_flags = $_.InheritanceFlags.ToString()
propagation_flags = $_.PropagationFlags.ToString()
}
}
Pop-Location
ConvertTo-Json -InputObject @($ace_list)
- name: add write rights to Guest
win_acl:
path: '{{ test_acl_path }}'
type: allow
user: Guests
rights: Write
register: allow_right
- name: get result of add write rights to Guest
win_shell: '$path = ''{{ test_acl_path }}''; {{ test_ace_cmd }}'
register: allow_right_actual
- name: assert add write rights to Guest
assert:
that:
- allow_right is changed
- (allow_right_actual.stdout|from_json)|count == 1
- (allow_right_actual.stdout|from_json)[0].identity == 'BUILTIN\Guests'
- (allow_right_actual.stdout|from_json)[0].inheritance_flags == 'ContainerInherit, ObjectInherit'
- (allow_right_actual.stdout|from_json)[0].propagation_flags == 'None'
- (allow_right_actual.stdout|from_json)[0].rights == 'Write, Synchronize'
- (allow_right_actual.stdout|from_json)[0].type == 'Allow'
- name: add write rights to Guest (idempotent)
win_acl:
path: '{{ test_acl_path }}'
type: allow
user: Guests
rights: Write
register: allow_right_again
- name: assert add write rights to Guest (idempotent)
assert:
that:
- not allow_right_again is changed
- name: remove write rights from Guest
win_acl:
path: '{{ test_acl_path }}'
type: allow
user: Guests
rights: Write
state: absent
register: remove_right
- name: get result of remove write rights from Guest
win_shell: '$path = ''{{ test_acl_path }}''; {{ test_ace_cmd }}'
register: remove_right_actual
- name: assert remove write rights from Guest
assert:
that:
- remove_right is changed
- remove_right_actual.stdout_lines == ["[", "", "]"]
- name: remove write rights from Guest (idempotent)
win_acl:
path: '{{ test_acl_path }}'
type: allow
user: Guests
rights: Write
state: absent
register: remove_right_again
- name: assert remote write rights from Guest (idempotent)
assert:
that:
- not remove_right_again is changed
- name: add deny write rights to Guest
win_acl:
path: '{{ test_acl_path }}'
type: deny
user: Guests
rights: Write
inherit: ContainerInherit
propagation: NoPropagateInherit
state: present
register: add_deny_right
- name: get result of add deny write rights to Guest
win_shell: '$path = ''{{ test_acl_path }}''; {{ test_ace_cmd }}'
register: add_deny_right_actual
- name: assert add deny write rights to Guest
assert:
that:
- add_deny_right is changed
- (add_deny_right_actual.stdout|from_json)|count == 1
- (add_deny_right_actual.stdout|from_json)[0].identity == 'BUILTIN\Guests'
- (add_deny_right_actual.stdout|from_json)[0].inheritance_flags == 'ContainerInherit'
- (add_deny_right_actual.stdout|from_json)[0].propagation_flags == 'NoPropagateInherit'
- (add_deny_right_actual.stdout|from_json)[0].rights == 'Write'
- (add_deny_right_actual.stdout|from_json)[0].type == 'Deny'
- name: add deny write rights to Guest (idempotent)
win_acl:
path: '{{ test_acl_path }}'
type: deny
user: Guests
rights: Write
inherit: ContainerInherit
propagation: NoPropagateInherit
state: present
register: add_deny_right_again
- name: assert add deny write rights to Guest (idempotent)
assert:
that:
- not add_deny_right_again is changed
- name: remove deny write rights from Guest
win_acl:
path: '{{ test_acl_path }}'
type: deny
user: Guests
rights: Write
inherit: ContainerInherit
propagation: NoPropagateInherit
state: absent
register: remove_deny_right
- name: get result of remove deny write rights from Guest
win_shell: '$path = ''{{ test_acl_path }}''; {{ test_ace_cmd }}'
register: remove_deny_right_actual
- name: assert remove deny write rights from Guest
assert:
that:
- remove_deny_right is changed
- remove_deny_right_actual.stdout_lines == ["[", "", "]"]
- name: remove deny write rights from Guest (idempotent)
win_acl:
path: '{{ test_acl_path }}'
type: deny
user: Guests
rights: Write
inherit: ContainerInherit
propagation: NoPropagateInherit
state: absent
register: remove_deny_right_again
- name: assert remove deny write rights from Guest (idempotent)
assert:
that:
- not remove_deny_right_again is changed
- name: add write rights to Guest - network
win_acl:
path: '{{ test_acl_network_path }}'
type: allow
user: Guests
rights: Write
register: allow_right
- name: get result of add write rights to Guest - network
win_shell: '$path = ''{{ test_acl_path }}''; {{ test_ace_cmd }}'
register: allow_right_actual
- name: assert add write rights to Guest - network
assert:
that:
- allow_right is changed
- (allow_right_actual.stdout|from_json)|count == 1
- (allow_right_actual.stdout|from_json)[0].identity == 'BUILTIN\Guests'
- (allow_right_actual.stdout|from_json)[0].inheritance_flags == 'ContainerInherit, ObjectInherit'
- (allow_right_actual.stdout|from_json)[0].propagation_flags == 'None'
- (allow_right_actual.stdout|from_json)[0].rights == 'Write, Synchronize'
- (allow_right_actual.stdout|from_json)[0].type == 'Allow'
- name: remove write rights from Guest - network
win_acl:
path: '{{ test_acl_network_path }}'
type: allow
user: Guests
rights: Write
state: absent
register: remove_right
- name: get result of remove write rights from Guest - network
win_shell: '$path = ''{{ test_acl_path }}''; {{ test_ace_cmd }}'
register: remove_right_actual
- name: assert remove write rights from Guest
assert:
that:
- remove_right is changed
- remove_right_actual.stdout_lines == ["[", "", "]"]
- name: add write rights to Guest - registry
win_acl:
path: '{{ test_acl_reg_path }}'
type: allow
user: Guests
rights: WriteKey
register: allow_right_reg
- name: get result of add write rights to Guest - registry
win_shell: '$path = ''{{ test_acl_reg_path }}''; {{ test_ace_cmd }}'
register: allow_right_reg_actual
- name: assert add write rights to Guest - registry
assert:
that:
- allow_right_reg is changed
- (allow_right_reg_actual.stdout|from_json)|count == 1
- (allow_right_reg_actual.stdout|from_json)[0].identity == 'BUILTIN\Guests'
- (allow_right_reg_actual.stdout|from_json)[0].inheritance_flags == 'ContainerInherit, ObjectInherit'
- (allow_right_reg_actual.stdout|from_json)[0].propagation_flags == 'None'
- (allow_right_reg_actual.stdout|from_json)[0].rights == 'WriteKey'
- (allow_right_reg_actual.stdout|from_json)[0].type == 'Allow'
- name: add write rights to Guest (idempotent) - registry
win_acl:
path: '{{ test_acl_reg_path }}'
type: allow
user: Guests
rights: WriteKey
register: allow_right_reg_again
- name: assert add write rights to Guest (idempotent) - registry
assert:
that:
- not allow_right_reg_again is changed
- name: remove write rights from Guest - registry
win_acl:
path: '{{ test_acl_reg_path }}'
type: allow
user: Guests
rights: WriteKey
state: absent
register: remove_right_reg
- name: get result of remove write rights from Guest - registry
win_shell: '$path = ''{{ test_acl_reg_path }}''; {{ test_ace_cmd }}'
register: remove_right_reg_actual
- name: assert remove write rights from Guest - registry
assert:
that:
- remove_right_reg is changed
- remove_right_reg_actual.stdout_lines == ["[", "", "]"]
- name: remove write rights from Guest (idempotent) - registry
win_acl:
path: '{{ test_acl_reg_path }}'
type: allow
user: Guests
rights: WriteKey
state: absent
register: remove_right_reg_again
- name: assert remote write rights from Guest (idempotent) - registry
assert:
that:
- not remove_right_reg_again is changed
- name: add deny write rights to Guest - registry
win_acl:
path: '{{ test_acl_reg_path }}'
type: deny
user: Guests
rights: WriteKey
inherit: ContainerInherit
propagation: NoPropagateInherit
state: present
register: add_deny_right_reg
- name: get result of add deny write rights to Guest - registry
win_shell: '$path = ''{{ test_acl_reg_path }}''; {{ test_ace_cmd }}'
register: add_deny_right_reg_actual
- name: assert add deny write rights to Guest - registry
assert:
that:
- add_deny_right_reg is changed
- (add_deny_right_reg_actual.stdout|from_json)|count == 1
- (add_deny_right_reg_actual.stdout|from_json)[0].identity == 'BUILTIN\Guests'
- (add_deny_right_reg_actual.stdout|from_json)[0].inheritance_flags == 'ContainerInherit'
- (add_deny_right_reg_actual.stdout|from_json)[0].propagation_flags == 'NoPropagateInherit'
- (add_deny_right_reg_actual.stdout|from_json)[0].rights == 'WriteKey'
- (add_deny_right_reg_actual.stdout|from_json)[0].type == 'Deny'
- name: add deny write rights to Guest (idempotent) - registry
win_acl:
path: '{{ test_acl_reg_path }}'
type: deny
user: Guests
rights: WriteKey
inherit: ContainerInherit
propagation: NoPropagateInherit
state: present
register: add_deny_right_reg_again
- name: assert add deny write rights to Guest (idempotent) - registry
assert:
that:
- not add_deny_right_reg_again is changed
- name: remove deny write rights from Guest - registry
win_acl:
path: '{{ test_acl_reg_path }}'
type: deny
user: Guests
rights: WriteKey
inherit: ContainerInherit
propagation: NoPropagateInherit
state: absent
register: remove_deny_right_reg
- name: get result of remove deny write rights from Guest - registry
win_shell: '$path = ''{{ test_acl_reg_path }}''; {{ test_ace_cmd }}'
register: remove_deny_right_reg_actual
- name: assert remove deny write rights from Guest - registry
assert:
that:
- remove_deny_right_reg is changed
- remove_deny_right_reg_actual.stdout_lines == ["[", "", "]"]
- name: remove deny write rights from Guest (idempotent) - registry
win_acl:
path: '{{ test_acl_reg_path }}'
type: deny
user: Guests
rights: WriteKey
inherit: ContainerInherit
propagation: NoPropagateInherit
state: absent
register: remove_deny_right_reg_again
- name: assert remove deny write rights from Guest (idempotent) - registry
assert:
that:
- not remove_deny_right_reg_again is changed