From 07edcab05123e06ca4025dec371239212dd83273 Mon Sep 17 00:00:00 2001 From: Shachaf92 Date: Fri, 5 Jul 2019 01:08:23 +0300 Subject: [PATCH] win_acl: Fix problems with special IDRef in different languages than english (#57281) * Change special id ref recognitionto avoid language diff * Changelog added * specialIdRefPrefixes to array * Changed to the more generic option --- ...-Win_acl-Ignore-language-diff-in-IDRefs.yml | 2 ++ lib/ansible/modules/windows/win_acl.ps1 | 18 +++--------------- 2 files changed, 5 insertions(+), 15 deletions(-) create mode 100644 changelogs/fragments/Make-Win_acl-Ignore-language-diff-in-IDRefs.yml diff --git a/changelogs/fragments/Make-Win_acl-Ignore-language-diff-in-IDRefs.yml b/changelogs/fragments/Make-Win_acl-Ignore-language-diff-in-IDRefs.yml new file mode 100644 index 00000000000..af3cd622f2f --- /dev/null +++ b/changelogs/fragments/Make-Win_acl-Ignore-language-diff-in-IDRefs.yml @@ -0,0 +1,2 @@ +bugfixes: + - "win_acl - Change special id ref recognitionto avoid language diff (https://github.com/ansible/ansible/issues/56757)" diff --git a/lib/ansible/modules/windows/win_acl.ps1 b/lib/ansible/modules/windows/win_acl.ps1 index af55f2ae21f..8fc344bfc16 100644 --- a/lib/ansible/modules/windows/win_acl.ps1 +++ b/lib/ansible/modules/windows/win_acl.ps1 @@ -158,27 +158,15 @@ Try { # Check if the ACE exists already in the objects ACL list $match = $false - # Workaround to handle special use case 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' and - # 'APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES'- can't translate fully qualified name (win32 API bug/oddity) - # 'ALL APPLICATION PACKAGES' exists only on Win2k12 and Win2k16 and 'ALL RESTRICTED APPLICATION PACKAGES' exists only in Win2k16 - $specialIdRefs = "ALL APPLICATION PACKAGES","ALL RESTRICTED APPLICATION PACKAGES" - ForEach($rule in $objACL.Access){ - $idRefShortValue = ($rule.IdentityReference.Value).split('\')[-1] - - if ( $idRefShortValue -in $specialIdRefs ) { - $ruleIdentity = (New-Object Security.Principal.NTAccount $idRefShortValue).Translate([Security.Principal.SecurityIdentifier]) - } - else { - $ruleIdentity = $rule.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) - } + ForEach($rule in $objACL.GetAccessRules($true, $true, [System.Security.Principal.SecurityIdentifier])){ If ($path_item.PSProvider.Name -eq "Registry") { - If (($rule.RegistryRights -eq $objACE.RegistryRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) { + If (($rule.RegistryRights -eq $objACE.RegistryRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($rule.IdentityReference -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) { $match = $true Break } } else { - If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) { + If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($rule.IdentityReference -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) { $match = $true Break }