cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

win_acl_inheritance - fix glob like paths (#53829)

Browse source
This commit is contained in:
Jordan Borean 2019-03-15 14:57:59 +10:00 committed by GitHub
parent aba6f5f50d
commit 3cfa71bff0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 89 additions and 94 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/win_acl_inheritance-paths.yaml Normal file
View file

@ -0,0 +1,2 @@
bugfixes:
- win_acl_inheritance - Fix issues when using paths with glob like characters, e.g. ``[``, ``]``

12
lib/ansible/modules/windows/win_acl_inheritance.ps1
View file

@ -16,12 +16,12 @@ $path = Get-AnsibleParam -obj $params "path" -type "path" -failifempty $true
$state = Get-AnsibleParam -obj $params "state" -type "str" -default "absent" -validateSet "present","absent" -resultobj $result $state = Get-AnsibleParam -obj $params "state" -type "str" -default "absent" -validateSet "present","absent" -resultobj $result
$reorganize = Get-AnsibleParam -obj $params "reorganize" -type "bool" -default $false -resultobj $result $reorganize = Get-AnsibleParam -obj $params "reorganize" -type "bool" -default $false -resultobj $result
If (-Not (Test-Path -Path $path)) { If (-Not (Test-Path -LiteralPath $path)) {
Fail-Json $result "$path file or directory does not exist on the host" Fail-Json $result "$path file or directory does not exist on the host"
} }
Try { Try {
$objACL = Get-ACL -Path $path $objACL = Get-ACL -LiteralPath $path
# AreAccessRulesProtected - $false if inheritance is set ,$true if inheritance is not set # AreAccessRulesProtected - $false if inheritance is set ,$true if inheritance is not set
$inheritanceDisabled = $objACL.AreAccessRulesProtected $inheritanceDisabled = $objACL.AreAccessRulesProtected
@ -31,9 +31,9 @@ Try {
If ($reorganize) { If ($reorganize) {
# it wont work without intermediate save, state would be the same # it wont work without intermediate save, state would be the same
Set-ACL -Path $path -AclObject $objACL -WhatIf:$check_mode Set-ACL -LiteralPath $path -AclObject $objACL -WhatIf:$check_mode
$result.changed = $true $result.changed = $true
$objACL = Get-ACL -Path $path $objACL = Get-ACL -LiteralPath $path
# convert explicit ACE to inherited ACE # convert explicit ACE to inherited ACE
ForEach($inheritedRule in $objACL.Access) { ForEach($inheritedRule in $objACL.Access) {
@ -53,11 +53,11 @@ Try {
} }
} }
Set-ACL -Path $path -AclObject $objACL -WhatIf:$check_mode Set-ACL -LiteralPath $path -AclObject $objACL -WhatIf:$check_mode
$result.changed = $true $result.changed = $true
} Elseif (($state -eq "absent") -And (-not $inheritanceDisabled)) { } Elseif (($state -eq "absent") -And (-not $inheritanceDisabled)) {
$objACL.SetAccessRuleProtection($True, $reorganize) $objACL.SetAccessRuleProtection($True, $reorganize)
Set-ACL -Path $path -AclObject $objACL -WhatIf:$check_mode Set-ACL -LiteralPath $path -AclObject $objACL -WhatIf:$check_mode
$result.changed = $true $result.changed = $true
} }
} Catch { } Catch {

2
test/integration/targets/win_acl_inheritance/defaults/main.yml
View file

@ -1 +1 @@
test_win_acl_inheritance_path: C:\ansible\win_acl_inheritance test_win_acl_inheritance_path: C:\ansible\win_acl_inheritance .ÅÑŚÌβŁÈ [$!@^&test(;)]

14
test/integration/targets/win_acl_inheritance/library/test_get_acl.ps1
View file

@ -13,29 +13,21 @@ $result = @{
changed = $false changed = $false
} }
$acl = Get-Acl -Path $path $acl = Get-Acl -LiteralPath $path
$result.inherited = $acl.AreAccessRulesProtected -eq $false $result.inherited = $acl.AreAccessRulesProtected -eq $false
$user_details = @{} $user_details = @{}
$acl.Access | ForEach-Object { $acl.Access | ForEach-Object {
# Backslashes are the bane of my existance, convert to / to we can export to JSON $user = $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value
$user = $_.IdentityReference -replace '\\','/'
if ($user_details.ContainsKey($user)) { if ($user_details.ContainsKey($user)) {
$details = $user_details.$user $details = $user_details.$user
} else { } else {
$details = @{ $details = @{
isinherited = $false isinherited = $false
isnotinherited = $false
} }
} }
$details.isinherited = $_.IsInherited
if ($_.IsInherited) {
$details.isinherited = $true
} else {
$details.isnotinherited = $true
}
$user_details.$user = $details $user_details.$user = $details
} }

153
test/integration/targets/win_acl_inheritance/tasks/main.yml
View file

@ -1,24 +1,65 @@
--- ---
# Test setup # Test setup
- name: remove test folder for baseline # Use single task to save in CI runtime
win_file:
path: '{{test_win_acl_inheritance_path}}'
state: absent
- name: create test folders - name: create test folders
win_file: win_shell: |
path: '{{test_win_acl_inheritance_path}}\folder' $ErrorActionPreference = 'Stop'
state: directory
- name: create test files $tmp_dir = '{{ test_win_acl_inheritance_path }}'
win_copy: if (Test-Path -LiteralPath $tmp_dir) {
dest: '{{test_win_acl_inheritance_path}}\folder\file.txt' Remove-Item -LiteralPath $tmp_dir -Force -Recurse
content: a }
New-Item -Path $tmp_dir -ItemType Directory > $null
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$current_sid = ([System.DirectoryServices.AccountManagement.UserPrincipal]::Current).Sid
$system_sid = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList @([System.Security.Principal.WellKnownSidType]::LocalSystemSid, $null)
$everyone_sid = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList @([System.Security.Principal.WellKnownSidType]::WorldSid, $null)
$sd = New-Object -TypeName System.Security.AccessControl.DirectorySecurity
$sd.SetAccessRuleProtection($true, $false)
$sd.AddAccessRule(
(New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList @(
$system_sid,
[System.Security.AccessControl.FileSystemRights]::FullControl,
[System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit",
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
))
)
$sd.AddAccessRule(
(New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList @(
$current_sid,
[System.Security.AccessControl.FileSystemRights]::FullControl,
[System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit",
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
))
)
$sd.AddAccessRule(
(New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList @(
$everyone_sid,
[System.Security.AccessControl.FileSystemRights]::Read,
[System.Security.AccessControl.InheritanceFlags]"ContainerInherit, ObjectInherit",
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
))
)
Set-Acl -LiteralPath $tmp_dir -AclObject $sd
New-Item -Path "$tmp_dir\folder" -ItemType Directory > $null
Set-Content -LiteralPath "$tmp_dir\folder\file.txt" -Value 'a'
$system_sid.Value
$current_sid.Value
$everyone_sid.Value
register: test_sids # register the output SID values used for comparison tests below
# Run tests # Run tests
- name: remove inheritance check - name: remove inheritance check
win_acl_inheritance: win_acl_inheritance:
path: '{{test_win_acl_inheritance_path}}\folder' path: '{{ test_win_acl_inheritance_path }}\folder'
reorganize: True reorganize: True
state: absent state: absent
register: remove_check register: remove_check
@ -26,7 +67,7 @@
- name: get actual remove inheritance check - name: get actual remove inheritance check
test_get_acl: test_get_acl:
path: '{{test_win_acl_inheritance_path}}\folder' path: '{{ test_win_acl_inheritance_path }}\folder'
register: actual_remove_check register: actual_remove_check
- name: assert remove inheritance check - name: assert remove inheritance check
@ -34,17 +75,20 @@
that: that:
- remove_check is changed - remove_check is changed
- actual_remove_check.inherited == True - actual_remove_check.inherited == True
- actual_remove_check.user_details[test_sids.stdout_lines[0]].isinherited == True
- actual_remove_check.user_details[test_sids.stdout_lines[1]].isinherited == True
- actual_remove_check.user_details[test_sids.stdout_lines[2]].isinherited == True
- name: remove inheritance - name: remove inheritance
win_acl_inheritance: win_acl_inheritance:
path: '{{test_win_acl_inheritance_path}}\folder' path: '{{ test_win_acl_inheritance_path }}\folder'
reorganize: True reorganize: True
state: absent state: absent
register: remove register: remove
- name: get actual remove inheritance - name: get actual remove inheritance
test_get_acl: test_get_acl:
path: '{{test_win_acl_inheritance_path}}\folder' path: '{{ test_win_acl_inheritance_path }}\folder'
register: actual_remove register: actual_remove
- name: assert remove inheritance - name: assert remove inheritance
@ -52,44 +96,25 @@
that: that:
- remove is changed - remove is changed
- actual_remove.inherited == False - actual_remove.inherited == False
- actual_remove.user_details['BUILTIN/Administrators'].isinherited == False - actual_remove.user_details[test_sids.stdout_lines[0]].isinherited == False
- actual_remove.user_details['BUILTIN/Administrators'].isnotinherited == True - actual_remove.user_details[test_sids.stdout_lines[1]].isinherited == False
- actual_remove.user_details['BUILTIN/Users'].isinherited == False - actual_remove.user_details[test_sids.stdout_lines[2]].isinherited == False
- actual_remove.user_details['BUILTIN/Users'].isnotinherited == True
- actual_remove.user_details['CREATOR OWNER'].isinherited == False
- actual_remove.user_details['CREATOR OWNER'].isnotinherited == True
- actual_remove.user_details['NT AUTHORITY/SYSTEM'].isinherited == False
- actual_remove.user_details['NT AUTHORITY/SYSTEM'].isnotinherited == True
- name: remove inheritance again - name: remove inheritance again
win_acl_inheritance: win_acl_inheritance:
path: '{{test_win_acl_inheritance_path}}\folder' path: '{{ test_win_acl_inheritance_path }}\folder'
reorganize: True reorganize: True
state: absent state: absent
register: remove_again register: remove_again
- name: get actual remove inheritance again
test_get_acl:
path: '{{test_win_acl_inheritance_path}}\folder'
register: actual_remove_again
- name: assert remove inheritance again - name: assert remove inheritance again
assert: assert:
that: that:
- remove_again is not changed - remove_again is not changed
- actual_remove_again.inherited == False
- actual_remove.user_details['BUILTIN/Administrators'].isinherited == False
- actual_remove.user_details['BUILTIN/Administrators'].isnotinherited == True
- actual_remove.user_details['BUILTIN/Users'].isinherited == False
- actual_remove.user_details['BUILTIN/Users'].isnotinherited == True
- actual_remove.user_details['CREATOR OWNER'].isinherited == False
- actual_remove.user_details['CREATOR OWNER'].isnotinherited == True
- actual_remove.user_details['NT AUTHORITY/SYSTEM'].isinherited == False
- actual_remove.user_details['NT AUTHORITY/SYSTEM'].isnotinherited == True
- name: add inheritance check - name: add inheritance check
win_acl_inheritance: win_acl_inheritance:
path: '{{test_win_acl_inheritance_path}}\folder' path: '{{ test_win_acl_inheritance_path }}\folder'
reorganize: True reorganize: True
state: present state: present
register: add_check register: add_check
@ -97,7 +122,7 @@
- name: get actual add inheritance check - name: get actual add inheritance check
test_get_acl: test_get_acl:
path: '{{test_win_acl_inheritance_path}}\folder' path: '{{ test_win_acl_inheritance_path }}\folder'
register: actual_add_check register: actual_add_check
- name: assert add inheritance check - name: assert add inheritance check
@ -105,25 +130,20 @@
that: that:
- add_check is changed - add_check is changed
- actual_add_check.inherited == False - actual_add_check.inherited == False
- actual_add_check.user_details['BUILTIN/Administrators'].isinherited == False - actual_add_check.user_details[test_sids.stdout_lines[0]].isinherited == False
- actual_add_check.user_details['BUILTIN/Administrators'].isnotinherited == True - actual_add_check.user_details[test_sids.stdout_lines[1]].isinherited == False
- actual_add_check.user_details['BUILTIN/Users'].isinherited == False - actual_add_check.user_details[test_sids.stdout_lines[2]].isinherited == False
- actual_add_check.user_details['BUILTIN/Users'].isnotinherited == True
- actual_add_check.user_details['CREATOR OWNER'].isinherited == False
- actual_add_check.user_details['CREATOR OWNER'].isnotinherited == True
- actual_add_check.user_details['NT AUTHORITY/SYSTEM'].isinherited == False
- actual_add_check.user_details['NT AUTHORITY/SYSTEM'].isnotinherited == True
- name: add inheritance - name: add inheritance
win_acl_inheritance: win_acl_inheritance:
path: '{{test_win_acl_inheritance_path}}\folder' path: '{{ test_win_acl_inheritance_path }}\folder'
reorganize: True reorganize: True
state: present state: present
register: add register: add
- name: get actual add inheritance - name: get actual add inheritance
test_get_acl: test_get_acl:
path: '{{test_win_acl_inheritance_path}}\folder' path: '{{ test_win_acl_inheritance_path }}\folder'
register: actual_add register: actual_add
- name: assert add inheritance - name: assert add inheritance
@ -131,43 +151,24 @@
that: that:
- add is changed - add is changed
- actual_add.inherited == True - actual_add.inherited == True
- actual_add.user_details['BUILTIN/Administrators'].isinherited == True - actual_add.user_details[test_sids.stdout_lines[0]].isinherited == True
- actual_add.user_details['BUILTIN/Administrators'].isnotinherited == False - actual_add.user_details[test_sids.stdout_lines[1]].isinherited == True
- actual_add.user_details['BUILTIN/Users'].isinherited == True - actual_add.user_details[test_sids.stdout_lines[2]].isinherited == True
- actual_add.user_details['BUILTIN/Users'].isnotinherited == True # Bug in win_acl_inheritance, resetting inheritance doubles up entries
- actual_add.user_details['CREATOR OWNER'].isinherited == True
- actual_add.user_details['CREATOR OWNER'].isnotinherited == False
- actual_add.user_details['NT AUTHORITY/SYSTEM'].isinherited == True
- actual_add.user_details['NT AUTHORITY/SYSTEM'].isnotinherited == False
- name: add inheritance again - name: add inheritance again
win_acl_inheritance: win_acl_inheritance:
path: '{{test_win_acl_inheritance_path}}\folder' path: '{{ test_win_acl_inheritance_path }}\folder'
reorganize: True reorganize: True
state: present state: present
register: add_again register: add_again
- name: get actual add inheritance again
test_get_acl:
path: '{{test_win_acl_inheritance_path}}\folder'
register: actual_add_again
- name: assert add inheritance again - name: assert add inheritance again
assert: assert:
that: that:
- add_again is not changed - add_again is not changed
- actual_add_again.inherited == True
- actual_add_again.user_details['BUILTIN/Administrators'].isinherited == True
- actual_add_again.user_details['BUILTIN/Administrators'].isnotinherited == False
- actual_add_again.user_details['BUILTIN/Users'].isinherited == True
- actual_add_again.user_details['BUILTIN/Users'].isnotinherited == True # Bug in win_acl_inheritance, resetting inheritance doubles up entries
- actual_add_again.user_details['CREATOR OWNER'].isinherited == True
- actual_add_again.user_details['CREATOR OWNER'].isnotinherited == False
- actual_add_again.user_details['NT AUTHORITY/SYSTEM'].isinherited == True
- actual_add_again.user_details['NT AUTHORITY/SYSTEM'].isnotinherited == False
# Test cleanup # Test cleanup
- name: remove test folder - name: remove test folder
win_file: win_file:
path: '{{test_win_acl_inheritance_path}}' path: '{{ test_win_acl_inheritance_path }}'
state: absent state: absent